I setup eck and login by default "elastic" account successfully.But I or logstash can't login by new account created in kibana.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [gmt-log-logstash] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } }"}
This is a known issue in the current beta1 release, unfortunately. The native realm is disabled by the operator. You can reenable it with this cluster definition (this example is based on the cluster we use in the quickstart guide, you have to adapt it to your needs)
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 7.4.0
nodeSets:
- name: default
count: 1
config:
node.master: true
node.data: true
node.ingest: true
node.store.allow_mmap: false
xpack.security.authc.realms:
native:
native1:
order: 1
The important part is:
xpack.security.authc.realms:
native:
native1:
order: 1
which enables the native realm and should fix your issue.
We are tracking this bug in this Github issue:
This will be fixed in the next release.
thank you,it's solved
I did the workaround. Now I'm able to log in, but I get "Error in visualization [esaggs] > Internal Server Error" when trying to access Kibana dashboards.
Elastic version 7.4.2
Still having the issue on my side, even with proposed fix. I'm running both elastic search and kibana behind a reverse proxy (nginx-ingress), so I disabled self signed certificates with:
http:
tls:
selfSignedCertificate:
disabled: true
Any idea why the users I create in Kibana can't login?
Here are the yaml files I use for both elastic search and kibana:
apiVersion: elasticsearch.k8s.elastic.co/v1beta1
kind: Elasticsearch
metadata:
name: elastic
spec:
version: 7.4.2
config:
node.master: true
node.data: true
node.ingest: true
home.path: '/elastic'
xpack.security:
authc:
realms:
native:
native1:
order: 1
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: default
count: 1
podTemplate:
spec:
initContainers:
- name: sysctl
securityContext:
privileged: true
command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144']
containers:
- name: elasticsearch
env:
- name: ES_JAVA_OPTS
value: -Xms6g -Xmx6g
resources:
requests:
memory: 12Gi
cpu: 2
limits:
memory: 12Gi
cpu: 4
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
elasticsearch.k8s.elastic.co/cluster-name: default
topologyKey: kubernetes.io/hostname
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- es-1
- es-2
- es-3
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
storageClassName: cinder-high-speed
apiVersion: kibana.k8s.elastic.co/v1beta1
kind: Kibana
metadata:
name: elastic
spec:
version: 7.4.2
count: 1
config:
server:
basePath: "/kibana"
elasticsearch:
hosts:
- "http://elastic-es-http.default.svc:9200/elastic"
elasticsearchRef:
name: elastic
http:
tls:
selfSignedCertificate:
disabled: true
podTemplate:
spec:
containers:
- name: kibana
resources:
requests:
memory: 128Mi
cpu: 0.2
limits:
memory: 2Gi
cpu: 2
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution: #deploy on node that is an elastic node
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- es-1
- es-2
- es-3@Benoit_V the config section belongs to a nodeSet, not to the top-level Elasticsearch spec.
You should move it as a sibling to eg. podTemplate in the nodeSets array.
Thank you so much! It works perfectly now.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.