Unable to log into Kibana after first time setup of xpack.security.enabled

dmaclennan · November 17, 2020, 8:06pm

Finding myself at a bit of a hault on my ELK stack setup.

I've setup kibana, elasticsearch and logstash on a Centos VM and have everything working great prior to introducing xpack.security.enabled for user authentication.

I've created the system user accounts using 'auto' and 'interactive'. Currently using 'auto' and have documented the pre-defined passwords.

Restarting Kibana and Elasticsearch, I can get to the Kibana webadmin, but am unable to sign into the GUI due to:

// [security_exception] missing authentication credentials for REST request [/_security/_authenticate], with { header={ WWW-Authenticate="Basic realm="security" charset="UTF-8"" } }"

Running a curl against my elasticsearch server I get:

[root@elk bin]# curl http://127.0.0.1:9200 -u elastic:<password> -v
* Rebuilt URL to: http://127.0.0.1:9200/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: 127.0.0.1:9200
> Authorization: Basic ZWxhc3RpYzpnY2s3bU1zTzl2cWlpY3FLTDZ6ZQ==
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 540
<
{
  "name" : "elasticnode-01",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "VXbZotfpS0e9xV7rH7FtHQ",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 127.0.0.1 left intact

kibana.log reads:

 // 
{"type":"log","@timestamp":"2020-11-17T20:04:43Z","tags":["info","plugins","security","routes"],"pid":64353,"message":"Logging in with provider \"basic\" (basic)"}
{"type":"response","@timestamp":"2020-11-17T20:04:43Z","tags":[],"pid":64353,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"host":"10.1.2.219:9603","connection":"keep-alive","content-length":"166","kbn-version":"7.10.0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36","content-type":"application/json","accept":"*/*","origin":"http://10.1.2.219:9603","referer":"http://10.1.2.219:9603/login?next=%2F","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.1.10.176","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36","referer":"http://10.1.2.219:9603/login?next=%2F"},"res":{"statusCode":401,"responseTime":52,"contentLength":9},"message":"POST /internal/security/login 401 52ms - 9.0B"}

Any help would be awesome to get me rolling.

dmaclennan · November 17, 2020, 8:20pm

Here is debug log output from kibana.log:

    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["debug","metrics"],"pid":66724,"message":"Refreshing metrics"}
    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["info","plugins","security","routes"],"pid":66724,"message":"Logging in with provider \"basic\" (basic)"}
    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["debug","http","server","Kibana","cookie-session-storage"],"pid":66724,"message":"Error: Unauthorized"}
    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["debug","plugins","security","basic","basic"],"pid":66724,"message":"Trying to perform a login."}
    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["debug","plugins","security","basic","basic"],"pid":66724,"message":"Failed to perform a login: [security_exception] missing authentication credentials for REST request [/_security/_authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } }"}
    {"type":"log","@timestamp":"2020-11-17T20:19:04Z","tags":["debug","plugins","licensing"],"pid":66724,"message":"Requesting Elasticsearch licensing API"}
    {"type":"response","@timestamp":"2020-11-17T20:19:04Z","tags":[],"pid":66724,"method":"post","statusCode":401,"req":{"url":"/internal/security/login","method":"post","headers":{"host":"10.1.2.219:9603","connection":"keep-alive","content-length":"166","kbn-version":"7.10.0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36","content-type":"application/json","accept":"*/*","origin":"http://10.1.2.219:9603","referer":"http://10.1.2.219:9603/login?next=%2F","accept-encoding":"gzip, deflate","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.1.10.176","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.193 Safari/537.36","referer":"http://10.1.2.219:9603/login?next=%2F"},"res":{"statusCode":401,"responseTime":44,"contentLength":9},"message":"POST /internal/security/login 401 44ms - 9.0B"}

warkolm · November 17, 2020, 10:28pm

Welcome to our community!

Can you post your kibana.yml?

dmaclennan · November 17, 2020, 11:31pm

Hi warkolm! Thank you

I've omitted some of my .yml file to exclude plain-text passwords, but let me know if I should reconfirm anything:

server.port: 9603
server.host: "10.1.2.219"
server.maxPayloadBytes: 1048576
server.name: "<OMITTED>"
elasticsearch.hosts: ["http://10.1.2.219:9200"]
kibana.index: ".kibana"
kibana.defaultAppId: "home"
elasticsearch.username: "kibana_system"
elasticsearch.password: "<OMITTED>"
server.ssl.enabled: false
#server.ssl.certificate: /elk/certificates/<OMITTED>_elk.crt
#server.ssl.key: /elk/certificates/<OMITTED>_elk_prv.key
#server.ssl.keyPassphrase: "<OMITTED>"
# xpack.security.http.ssl.client_authentication in Elasticsearch is set to required.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
elasticsearch.ssl.verificationMode: none
elasticsearch.pingTimeout: 1500
elasticsearch.requestTimeout: 30000
elasticsearch.requestHeadersWhitelist: []
elasticsearch.customHeaders: {}
elasticsearch.shardTimeout: 30000
elasticsearch.logQueries: false
pid.file: /var/run/kibana/kibana.pid
logging.dest: /var/log/kibana/kibana.log
logging.silent: false
logging.quiet: false
logging.verbose: true
ops.interval: 5000
i18n.locale: "en"

I've taken out xpack.security.enabled: true for the time being so I can continue to configure my instance.

warkolm · November 17, 2020, 11:37pm

Can you connect to Elasticsearch using the API and the username and password you have put into the config?

dmaclennan · November 17, 2020, 11:42pm

Hi Mark,

Please see below:

[root@elk kibana]# curl http://10.1.2.219:9200 -u kibana_system:<OMITTED> -v
* Rebuilt URL to: http://10.1.2.219:9200/
*   Trying 10.1.2.219...
* TCP_NODELAY set
* Connected to 10.1.2.219 (10.1.2.219) port 9200 (#0)
* Server auth using Basic with user 'kibana_system'
> GET / HTTP/1.1
> Host: 10.1.2.219:9200
> Authorization: Basic a2liYW5hX3N5c3RlbTp1WHdQWEs5cFNUMWNoZDVtb1VHeQ==
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 540
<
{
  "name" : "elasticnode-01",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "VXbZotfpS0e9xV7rH7FtHQ",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 10.1.2.219 left intact

ikakavas · November 18, 2020, 7:39am

The previous posts with the curl outputs contain your passwords ( the Authorization header there ) so it might be prudent to change these if this is not a test setup.

What username and password are you using to do so ? Are you trying with elastic and the password you use for curl too, or something else ?

dmaclennan · November 18, 2020, 4:43pm

That's embarrassing.. will have to get those changed out when I have this resolved.

I've done it with both elastic and kibana_system for the curl test. For the actual GUI test, it's elastic.

system · December 16, 2020, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If I enable xpack , Elasticsearch stops working and my license won't work Elasticsearch elastic-stack-security	10	2478	October 22, 2020
Security error in Elasticsearch after X-Pack install Elasticsearch	3	750	September 22, 2017
Elasticstack security Kibana elastic-stack-security	2	222	March 9, 2021
Authentication issues while xpack security enabling Elasticsearch elastic-stack-security	4	2321	February 6, 2020
Authentication issues while xpack security enabling - Elasticsearch version 7.7 Elasticsearch elastic-stack-security	7	1099	June 18, 2020

Unable to log into Kibana after first time setup of xpack.security.enabled

Related topics