Unable to create short URL. Error: Internal Server Error

Hello World!

Kibana' user is reporting following issue:

frontend:

Unable to create short URL. Error: Internal Server Error

backend:

kibana-custom | {"type":"error","@timestamp":"2019-01-27T21:51:25Z","tags":[],"pid":1,"level":"error","error":{"message":"Unable to create url, missing action:saved_objects/url/create","name":"Error","stack":"Error: Unable to create url, missing action:saved_objects/url/create\n at SecureSavedObjectsClientWrapper._ensureAuthorized (/usr/share/kibana/node_modules/x-pack/plugins/security/server/lib/saved_objects_client/secure_saved_objects_client_wrapper.js:136:48)\n at <anonymous>"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"","query":{},"pathname":"/api/shorten_url","path":"/api/shorten_url","href":"/api/shorten_url"},"message":"Unable to create url, missing action:saved_objects/url/create"}

Per Sharing a Dashboard | Kibana User Guide [6.5] | Elastic:

To create a short URL, you must have write access to Kibana.

what exactly is write access? user has kibana_user role assigned, is that not enough?

Please advise.

@alexus,

The kibana_user role should be sufficient. Can you verify they actually have that role assigned?

Which version of Kibana & Elasticsearch are you using? Can you post your kibana.yml configuration, omitting any usernames/passwords/secrets?

if kibana_user role wouldn't be assigned, user wouldn't be able to access Discover either (which is not the case)

Elastic stack runs latest 6.5.4, in regards to configuration: I used Running Kibana on Docker | Kibana User Guide [6.5] | Elastic with few minor adjustments (ssl certificate, etc.).

if kibana_user role wouldn't be assigned, user wouldn't be able to access Discover either (which is not the case)

That's not necessarily true. You can create custom roles to access Kibana, or use the built-in kibana_dashboard_only_mode role to grant read-only access as well (even if you don't use the Dashboard Only Mode feature).

Is this user able to create any saved searches, dashboards, or index patterns within Kibana? Or is it just short urls that are failing?

correct, user is able to do everything as defined within shipped kibana_user role, except for creating short URL.

Can you execute the following in DevTools, and post the result? Replace <username> with the username of the account. Omit personal information such as full_name and email:

GET /_xpack/security/user/<username>

For example, GET /_xpack/security/user/larry for my own setup returns the following:

{
  "larry" : {
    "username" : "larry",
    "roles" : [
      "superuser"
    ],
    "full_name" : "......",
    "email" : "......",
    "metadata" : { },
    "enabled" : true
  }
}

Per your request:

{
  "userX" : {
    "username" : "userX",
    "roles" : [
      "roleX",
      "roleY",
      "roleZ"
    ],
    "full_name" : "x x",
    "email" : "x@x.x",
    "metadata" : { },
    "enabled" : true
  }
}

after reviewing user's role it is worth to mention: due to userX using own space, userX doesn't have kibana_user role assigned, as userX limited to one specific space only and assigning kibana_user role to userX allows userX to see other spaces, rest of roles are related to access to custom indices.

and lastly, userY (which has same roles assigned as userX) doesn't have an issues with creating short URL (within very same space as userX does).

I've tried restarting Kibana, but still no luck( userX still has issue while userY doesnt.

Redacting everything isn't all that helpful, but it's good to know you're in fact not using the kibana_user role.

Can you please post the actual role definitions for "roleX", "roleY", and "roleZ"?
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-role.html

I suspect that the roles are granting "read" access to a particular space, rather than "all" access to a particular space.

I apologize for that, just trying to be as accurate as possible)

After further investigation, your suspicion is right on the money as userX has read Privilege, while userY has all Privilege.

Maybe Kibana could use some improvements in displaying errors, say in more useful way?) Regardless, thank you very much for your help! I appreciate it!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.