Unable to login to Kibana by using LDAP user who is having a superuser role

Elastic Stack Elasticsearch
1

Hi,

I am unable to login to Kibana by using an LDAP user who is having a superuser role. Getting below the exception.

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [******] for REST request [/_xpack/security/user/_has_privileges], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }"}

When trying to authenticate the same user using API getting below output.

curl -XGET -u ****** http://:9200/_xpack/security/_authenticate
Enter host password for user '':
{"username":"***","roles":["superuser"],"full_name":null,"email":null,"metadata":{},"enabled":true,"authentication_realm":{"name":"ldap1","type":"ldap"},"lookup_realm":{"name":"ldap1","type":"ldap"}}

GET /_security/role/superuser

{
"superuser" : {
"cluster" : [
"all"
],
"indices" : [
{
"names" : [
""
],
"privileges" : [
"all"
],
"allow_restricted_indices" : true
}
],
"applications" : [
{
"application" : "",
"privileges" : [
""
],
"resources" : [
""
]
}
],
"run_as" : [
"*"
],
"metadata" : {
"_reserved" : true
},
"transient_metadata" : { }
}
}

Assigned a role to a user by using below API

POST /_xpack/security/role_mapping/mapping1
{
"roles": [ "superuser"],
"enabled": true,
"rules": {
"field" : { "username" : "*" }
},
"metadata" : {
"version" : 1
}
}

Looks like I am missing something here, can someone help me.

Thanks
GRR

2

This error might be for the kibana user. Could you please double check the user Kibana uses for connecting elasticsearch and whether it has sufficient roles? You can also perform the same API authentication with the kibana user and see what it gives.

3

Hi Yang,

Getting the below successful response.

curl -XGET -u kibana http://**********:9200/_xpack/security/_authenticate
Enter host password for user 'kibana':
{"username":"kibana","roles":["kibana_system"],"full_name":null,"email":null,"metadata":{"_reserved":true},"enabled":true,"authentication_realm":{"name":"reserved","type":"reserved"},"lookup_realm":{"name":"reserved","type":"reserved"}}

Thanks
GRR

4

What are the versions of Kibana and Elasticsearch? Could you share the configuraiton for theml? Could you also enable trace logging and provide the logs?

PUT _cluster/settings
{"transient":{"logger.org.elasticsearch.xpack.security.authc":"trace"}}
5

Hi Yang,

I am using 6.8.4 version Kibana and Elasticsearch.

Getting below error in kibana log.

{"type":"error","@timestamp":"2020-07-23T12:47:25Z","tags":["error","authentication"],"pid":91590,"level":"error","error":{"message":"[security_exception] unable to authenticate user [] for REST request [/_xpack/security/user/_has_privileges], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }","name":"Error","stack":"[security_exception] unable to authenticate user [] for REST request [/_xpack/security/user/_has_privileges], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } } :: {"path":"/_xpack/security/user/_has_privileges","query":{},"body":"{\"applications\":[{\"application\":\"kibana-.kibana\",\"resources\":[\"space:default\"],\"privileges\":[\"version:6.8.4\",\"action:login\",\"action:saved_objects/config/get\"]}]}","statusCode":401,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [] for REST request [/_xpack/security/user/_has_privileges]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [] for REST request [/_xpack/security/user/_has_privileges]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}},\"status\":401}","wwwAuthenticateDirective":"Basic realm=\"security\" charset=\"UTF-8\""}\n at respond (/home/release/release_independent/elk/kibana/kibana-6.8.4-linux-x86_64/node_modules/elasticsearch/src/lib/transport.js:308:15)\n at checkRespForFailure (/home/release/release_independent/elk/kibana/kibana-6.8.4-linux-x86_64/node_modules/elasticsearch/src/lib/transport.js:267:7)\n at HttpConnector. (/home/release/release_independent/elk/kibana/kibana-6.8.4-linux-x86_64/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/home/release/release_independent/elk/kibana/kibana-6.8.4-linux-x86_64/node_modules/elasticsearch/node_modules/lodash/lodash.js:4929:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)"},"message":"[security_exception] unable to authenticate user [******] for REST request [/_xpack/security/user/_has_privileges], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }"}

Getting the below exception at client ( browser).

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [******] for REST request [/_xpack/security/user/_has_privileges], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }"}

Thanks
GRR

6

Could you please share the logs from Elasticsearch? I understand the need of redacting logs. But could you please do it consistently? From the logs I cannot tell whether the errors are all related to the same user since sometimes it is [] and other times it is [******].

7

Hi Yang,

I am using the same LDAP user for testing. While submitting the topic it got changed from [******] to at some places.

Getting the below output from elasticsearch log

[2020-07-23T21:41:42,727][DEBUG][o.e.x.s.a.s.DnRoleMapper ] [localhost] the roles [], are mapped from the user [cn=Full Name of the User ,ou=users02,ou=users,ou=adm01,ou=at,ou=corp,dc=mydomain,dc=com] using file [role_mapping.yml] for realm [ldap/ldap1]

[2020-07-23T21:41:42,735][TRACE][o.e.x.s.a.s.m.NativeRoleMappingStore] [gi2p1xrlgs021.gi02.bpty] User [employeeID] matches role-mapping [mapping1]
with roles [[superuser]]

role_mapping.yml contains below data.
superuser:

  • "OU=Users,OU=ADM01,OU=AT,OU=CORP,DC=mydomain,DC=com"

I am getting the superuser role from NativeRoleMappingStore and getting the no roles (null) from DnRoleMapper, is there any issue the way I configured the role_mapping.yml?

Note: Bold text replaced with dummy data to secure the personal data.

Thanks
GRR

8

For role_mapping.yml, you need use the full DN, the configuration you currently have misses the CN=xxx part of the full DN. That is why it did not pick and fell through to the native mapping.

Based on the logs, the authentication was successful because the roles are mapped and I am not seeing any errors. So there is no login issue anymore?

If the problem persists, could you please share the full logs or at least enough logs to cover the whole faild authentication attempt to help better understand of the context. Also, please use forum formatting features for pasting logs so they are easier to read. For logs, you can put them inside a pair of triple backquotes:

    ```
    log text here ...
    ```

Thanks!

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.