Security_exception: unable to authenticate user [me] for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]

Hello! I really need some help, been struggling with this.
I am trying to set up Kibana and Elasticsearch using docker-compose, and I have already generated a service account user (left it as my name clara), but the kibana service fails to set up. I read that the service account user is not the same as the user using the kibana UI and I tried setting up another user with the kibana_user roles but it has failed.

Could someone please help!

Here is my whole docker-compose file. I am using 8.13 as the stack version.
Is it correct to say that Elasticsearch password and Elasticsearch username comes from the service account?

Thank you so much!

version: "3.8"
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION}
    container_name: elasticsearch
    volumes:
      - elasticsearch_data:/usr/share/elasticsearch/data
    expose:
      - 9200
    ports:
      - "9200:9200"
    environment:
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
      - discovery.type=single-node
      - node.store.allow_mmap=false
      - xpack.security.enabled=true
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}

  kibana:
    image: docker.elastic.co/kibana/kibana:${STACK_VERSION}
    container_name: kibana
    volumes:
      - kibana_data:/usr/share/kibana/data
    ports:
      - "5601:5601"
    environment:
      - discovery.type=single-node
      - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME}
      - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}

volumes:
  elasticsearch_data:
  kibana_data:

Welcome!

You might be missing the certificates for example. But we could know more if you share the logs.

There is a 8.13 docker-compose.yml example here: elasticsearch/docs/reference/setup/install/docker/docker-compose.yml at 8.13 · elastic/elasticsearch · GitHub

And the .env file: elasticsearch/docs/reference/setup/install/docker/.env at 8.13 · elastic/elasticsearch · GitHub

Hello! Thank you for your help!
I am trying to set this up without TLS certs as I do not need that additional security.

This is the error that I keep getting:

2024-04-30 01:09:22 kibana         | [2024-04-29T17:09:22.007+00:00][INFO ][plugins.assetManager] Server is NOT enabled
2024-04-30 01:09:22 kibana         | [2024-04-29T17:09:22.827+00:00][ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception
2024-04-30 01:09:22 kibana         |    Root causes:
2024-04-30 01:09:22 kibana         |            security_exception: unable to authenticate user [clara] for REST request [/_nodes?filter_path=nodes.*.version%2Cnodes.*.http.publish_address%2Cnodes.*.ip]
2024-04-30 01:09:25 kibana         | [2024-04-29T17:09:25.246+00:00][INFO ][plugins.screenshotting.chromium] Browser executable: /usr/share/kibana/node_modules/@kbn/screenshotting-

clara is the name of the service account i created for Elasticsearch to connect with kibana. But I cannot access the UI on localhost:5601

How did you create this account? What are the privileges/roles you gave to it?

Do you mean my service account? I spun up the elastic container, and then went into the elastic container and executed this command:

curl -X POST -u elastic:my_password "http://localhost:9200/_security/service/elastic/kibana/credential/token/clara?pretty"

And this was the output printed in the console for me:

{
  "created" : true,
  "token" : {
    "name" : "clara",
    "value" : "XXXX"
  }
}

I then used replace this password in my docker-compose env file ELASTICSEARCH_PASSWORD. Then i restarted the kibana container.

What did I do wrong?

There's been some mixup in terminology here.

What you created was a service token for the builtin elastic/kibana service account.

That means:

  • you didn't actually create a new user or service account (nor should you have, what you did was correct)
  • you didn't create a "password" - a service token fills the same role as a password, but it is not the same as a password.

Consequently this:

      - ELASTICSEARCH_USERNAME=${ELASTICSEARCH_USERNAME}
      - ELASTICSEARCH_PASSWORD=${ELASTICSEARCH_PASSWORD}

is not going to be correct because clara is not a username and the token is not a password.

What you want instead is (I think - you might need to ask in the Kibana forum if this doesn't work)

      - ELASTICSEARCH_SERVICEACCOUNTTOKEN=${ENV_WITH_THE_TOKEN_VALUE}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.