Unable to login to Kibana after changing Space settings for specific role

Hi,

I have created a user 'X' with role 'Y'. A space 'Z' is assinged to this role. In the settings of the Space for this role, I've decided to hide all features including 'dashboards' from it and keep only dev tools for example.

image757×838 60.1 KB

Whenever I login with the user which is associated to this role, I get the following error:

image1411×805 30 KB

Kibana shows this error for a second before it reloads automatically and again it shows this error for a second and so on...

Clearing the session didn't help. When I've enabled also 'dashboards' (read/all), this issue stopped happening.

image751×836 60 KB

My goal is to hide dashboards for this role. So I am blocked here.
I would really appreciate your help.

Peter

This seems like a legit bug - which version are you using? If it's an outdated one, you can try upgrading. If you are already running 7.8.0, you can report it here: https://github.com/elastic/kibana/issues/new?template=Bug_report.md

Hi @flash1293

I am using version 7.5.1
We can't just upgrade to latest version. We have our solution based on Kibana and we are just before going to production.
Is it a known issue? If so, and if it has a fix already then I can merge the fix to our Kibana based solution.
Pending for more info regarding this issue.

Thanks

I suggested the upgrade because this area of the code went through substantial refactoring between 7.5 and 7.8 - there is no single PR to backport, but the whole structure of the application changed. I tried to reproduce this problem with 7.8 but granting only dev tool rights works fine there.

Did you include your own plugins into Kibana for your solution?

Thanks for your fast reply.
Yes we have our own plugins. Can you please try and reproduce the issue on 7.5.1?
This will help us understand if it's an Kibana issue (most likely) or our own development which is causing this.

Thanks

I started a 7.5.1 instance with just dev tools rights in a separate space and it worked fine for me (no errors on opening Kibana)

Have you been able to log in with the user which has the role you've created (the role that has the specific Space privileges)?

Yes, I'm able to access the dev tools without any errors

The issue is not in accessing the dev tools. The issue reproduced for me when trying to log-in to KIbana with the user and role I created for which is assigned a space with no privileges to see dashboards.
Steps to reproduce:

1. Create a user
2. Create a Space
3. Create a role and assign this Space to it. Hide everything and keep only dev tools with Read privileges.
4. Assign the role to the previously created user.
5. Logout
6. Login using newly created user credentials

Expected:
You are able to login and view your dashboards without any issue.

Actual:
Stuck in a loop which shows below error for 1 second:

image1411×805 30 KB

That's what I meant - logging in as this user and going to dev tools works fine for me.

You are able to login and view your dashboards without any issue

Why are you expecting to be able to view dashboards if you only grant dev tools rights to a user?

I am unable to login at all. I am stuck in a loop after clicking login.

Hi,

After checking for other developers who faced the same issue, I was able to find an open bug on this issue!

Here you can see the same steps to reproduce mentioned: https://github.com/elastic/kibana/issues/52298

So, as I understand currently there is no fix for that.

@flash1293 can you go over the steps to reproduce mentioned here https://github.com/elastic/kibana/issues/52298 on latest stable Kibana version and update if you have the same issue or not. If not, can you please point our to the fix that was done?

Thanks

If this is about a kibana.defaultAppId setting, a possible workaround is to remove it and use the advanced setting “defaultRoute” instead configured in Management > Advanced settings.

Let me know whether that works for your case.

You mean I need to replace the default value of kibana.defaultAppId with the defaultRoute value I've configured in the Advanced Settings?
Please clarify.

Thanks

defaultRoute works a little different - just copy the path of the page you want to be your default, e.g. discover is app/kibana#/discover on 7.5

Hi

It didn't work.

What default route did you try? If it's a specific dashboard, it's possible you can't work around the bug you found in your specific scenario.

If you are writing your own plugin, you can also try programmatically hiding menu options in specific cases similar to how the "dashboard mode" plugin is doing it: https://github.com/elastic/kibana/blob/7.5/x-pack/legacy/plugins/dashboard_mode/public/dashboard_viewer.js#L55

Thanks @flash1293
I need to add a change in the code to block access to /dashboards (in addition to hiding dashboards plugin from side menu). Can you please point out how this can be done? How is it done already for items that are hidden (Privilege set as None for specific role)?

Thanks

They are using the security solution with registered features (like here: https://github.com/elastic/kibana/blob/master/x-pack/plugins/features/server/oss_features.ts ) and integrate with the permissions you can set per role.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.