Unable to log into embedded Kibana anonymously

I tried to embed Kibana into a webpage but was unable to login as they kept bringing me back to the login page.
So I decided to take a different approach and allow user to log in anonymously.
I create an API-Key and link a newly created role to the api-key. However, when I try to login anonymously, I received this error

image783×444 12.6 KB

POST /_security/api_key
{
  "name": "anonymous",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "index": [
        {
          "names": ["anonymous-role"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
       "level": 1,
       "trusted": true,
       "tags": ["dev", "staging"]
    }
  }
}

This is the privileges I gave to my newly created role

image1601×646 40.7 KB

image1628×594 30.1 KB

xpack.security.authc.providers:
    basic.basic1:
        order: 0
    anonymous.anonymous1:
        order: 1
        credentials:
            apiKey.id: "ve_guH0BuaYiJNe0VH1r"
            apiKey.key: "cyivUsIkQBKybk2v6XiOYQ"

I'm sorry if this is an easy fix. I am still new and learning Kibana. Any advice is greatly appreciated! Thank you for your time!

Docs recommend to change sameSiteCookies policy and use auth_provider_hint for this approach

Have you tried this?

Hello @dosant sorry I forgot to add that I did use auth_provider_hint in my iFrame code.

<iframe src="http://localhost:5601/app/dashboards?auth_provider_hint=anonymous1#/view/e1eb4b30-3ba1-11ec-818d-cba5e7ef064e?embed=true&_g=(...)" height="600" width="800"></iframe>

and when I tried to use sameSiteCookies by adding xpack.security.sameSiteCookies: "None" in my kibana.yml, I received this error instead

image710×43 1.43 KB

1. [error][server][Kibana][http] Error: "SameSite: None" requires Secure connection at validateOptions
2. [warning][process] PromiseRejectionHandledWarning: Promise rejection was handled asynchronously (rejection id: 2)
3. Error: Internal Server Error at HapiResponseAdapter.toInternalError

I Have the same error ,did you solve it?

Hello @yanwencheng , I went with a different approach. Instead of giving an API key the privilege role (in my case the role is called anonymous-role), I gave the anonymous-role to a newly created user and used the following code instead;

xpack.security.authc.providers:
    basic.basic1:
        order: 0
    anonymous.anonymous1:
        order: 1
        credentials:
            username: "[insert username here]"
            password: "[insert password here]"

You can refer to my post here regarding it here

You mean that you only need to configure kibana.yml, I see the official documentation needs to add Elasticsearch.yml

xpack.security.authc:
anonymous:
username: anonymous1
roles: anonymousRole
authz_exception: true

I got a new error again

Error: [security_exception: [security_exception] Reason: unable to authenticate user [anonymousUser1] for REST request [/_security/_authenticate]]: unable to authenticate user [anonymousUser1] for REST request [/_security/_authenticate]
    at login_form_LoginForm.loginWithSelector (http://192.168.30.243:5601/44266/bundles/plugin/security/8.0.0/security.chunk.5.js:8:22037)
    at async login_form_LoginForm.componentDidMount (http://192.168.30.243:5601/44266/bundles/plugin/security/8.0.0/security.chunk.5.js:8:23159)

that's what I did last time but I got the same error. So I add the roles to a newly created user and am able to log in anonymously using my iFrame code.

I set a user password of 888888 on kibana page, and in kibana YML is configured as

xpack.security.authc.providers:
    basic.basic1:
        order: 0
    anonymous.anonymous1:
        order: 1
        credentials:
            username: "ceshiyonghu"
            password: "888888"

Kibana Do you need to configure other YML? I still have this error

Thank you very much. After using STL, iframe can be embedded easily。

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.