Unable to login to kibana on chrome


(Sam) #1

We recently added SSL to our elasticsearch cluster (we've had it on kibana) and have since been unable to login to kibana on chrome. It works fine on firefox, however.

We're getting a 401 (Unauthorized) error.

We noticed this problem because we embedded the iframe in a reactjs page and it wasn't working in chrome. The login request goes through and the iframe starts loading, but then it gives /es_admin/.kibana/index-pattern/_search?stored_fields= 401 (Unauthorized) and /api/xpack/v1/info 401 (Unauthorized) - the login screen in the iframe reports that the session has expired
If we try accessing it directly through chrome, we get /api/security/v1/login 401 (Unauthorized) and /api/xpack/v1/info 401 (Unauthorized) - the login page just says 'oops! error. try again.'

Anyone know how to fix it or know why it's no longer working in Chrome?


(Matt Bargar) #2

Have you tried fully clearing your cache in Chrome? If you look at Chrome's dev tools, do you see any additional details about the error either in the console or the network tab? Any additional details in your Kibana or ES logs?


(Sam) #3

@Bargs
Yes, we have tried fully clearing cache. The highlighted errors above are from the Chrome's dev tools. No mention of anything (except the user creation we did) in kibana or ES logs


(Matt Bargar) #4

What version of Kibana/Elasticsearch/xpack are you using?


(Sam) #5

5.5.0


(Matt Bargar) #6

I'm not certain whether you're getting a 401 for the kibana server user or the end user. Could you try enabling audit logging in Elasticsearch Security in order to see which authentication attempt is failing? That would narrow down the investigation.

You can also log all requests made to ES from Kibana by setting elasticsearch.logQueries: true in kibana.yml and running Kibana in verbose mode with --verbose. This may prove to be useful.


(Sam) #7

When i try to access it in Chrome, the following is shown in the Kibana logs:

respons [20:22:16.414]  GET /api/xpack/v1/info 200 14ms - 9.0B
  log   [20:22:16.469] [debug][license][xpack] Calling Elasticsearch _xpack API
respons [20:22:16.475]  POST /es_admin/.kibana/index-pattern/_search?stored_fields= 401 25ms - 9.0B

...
[a number of GET/POST requests]
...

  log   [20:22:17.290] [debug][license][xpack] Calling Elasticsearch _xpack API
respons [20:22:17.298]  GET /api/xpack/v1/info 401 13ms - 9.0B

This is in ES:

[2017-08-10T13:26:57,829][WARN ][o.e.x.s.a.AuthenticationService] [zpRGmrV] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate user [elastic]]

In firefox they're all 200s.


(Matt Bargar) #8

Ok, so it appears to be the end user that's failing to authenticate. Is this what happens when you're trying to load the URL of a specific visualization? What requests do you see in the logs when you try to go to the login screen and log in?

I also found another ticket reporting a 401 for the same _search request that's responding with a 401 in your logs. Unfortunately we didn't get any additional info there, but one interesting thing I noticed is that they were using an nginx proxy. Are you running a proxy in front of Kibana? If so, do you get different results if you try to access Kibana directly?


(Sam) #9

similar errors when we try accessing kibana directly but on /api/security/v1/login and /api/xpack/v1/info. we're not running a proxy in front of kibana itself. we do use nginx where we have the iframe embedded, but I don't think it's related since we're getting the same error accessing both the iframe and kibana itself.
the iframe loads the url of a specific dashboard.

Logging into kibana itself on firefox with the same credentials works perfectly fine.


(Sam) #10

Oh @Bargs something i forgot to mention - the login request to the elasticsearch server goes through for the iframe in Chrome, it's just ones for kibana that are failing which is why it gives the session expired error


(Matt Bargar) #11

This really sounds like there's a cookie or credentials cached in the browser still. Can you try to log in to Kibana directly with Chrome in incognito mode and see what happens?


(Sam) #12

@Bargs
The same thing happens.
I also tried with Safari (which I haven't used for this before) and got the same issue as with Chrome.
Doing it in Firefox works whether in incognito or not.


(Sam) #13

All of the failing calls are to the kibana server - the elasticsearch ones seem to go through fine according to the browser console.

The only change I can think of since it worked is setting up ssl, but we haven't gotten any errors and when we access the url via https there's no certificate error or warning.


(Sam) #14

I do see this in the xpack audit logs, which might be related? It shows up when trying to access the iFrame but not when accessing Kibana directly.

[2017-08-14T11:20:12,360] [transport] [access_granted]	origin_type=[rest], origin_address=[***], principal=[user_name], action=[cluster:admin/xpack/security/user/authenticate], request=[AuthenticateRequest]
[2017-08-14T11:20:12,400] [transport] [access_granted]	origin_type=[rest], origin_address=[***], principal=[superuser], action=[cluster:monitor/xpack/info], request=[XPackInfoRequest]
[2017-08-14T11:20:12,451] [rest] [anonymous_access_denied]	origin_address=[***], uri=[/_xpack/security/_authenticate]
[2017-08-14T11:20:12,997] [transport] [access_granted]	origin_type=[rest], origin_address=[***], principal=[superuser], action=[cluster:monitor/xpack/info], request=[XPackInfoRequest]
[2017-08-14T11:20:13,011] [rest] [anonymous_access_denied]	origin_address=[***], uri=[/_xpack/security/_authenticate]

(Matt Bargar) #15

Does this look like the same issue you're having https://github.com/elastic/kibana/issues/10176 ?

If so, would you mind adding details to that issue? If it doesn't look the same, could you file a new bug report? In either case I think we'll need to investigate this further as a potential bug.


(Matt Bargar) #16

Nevermind, I just noticed you're the one who last commented on that issue. Please keep following up on that thread, we can track it as a bug easier that way.


(Sam) #17

Ok, will do


(Stacey Gammon) #18

I don't think this is related to that bug about iframes and safari. At least, I think we should first figure out why you aren't able to log in without throwing iframes into the mix to complicate matters.

Have all these log in attempts been on the same computer or different?

I did find some another post about ssl errors happening on Chrome and IE but not firefox - https://superuser.com/questions/1000003/getting-certificate-error-on-ie-and-chrome-but-opens-in-firefox. Though I'm not sure that will help since you don't see any certificate errors.

If you navigate to https://[your_url]:5601/api/xpack/v1/info in Chrome and view the security tab, does it give you any information about the certificate?


(Sam) #19

@Stacey_Gammon I have tested all of them on my computer, Chrome and Firefox have been tested on two other computers (each of which was able to login on Firefox and not login on Chrome)

I tried doing what the superuser post suggested but no change.

I can access that link on Firefox but not Chrome. I didn't see any certificate information. But it also shows just as a json object. If I navigate to Kibana -> Management -> Security, I only see Users and Roles tabs.


(Sam) #20

@Stacey_Gammon just checking in - is that what it's supposed to show? Do you have any other suggestions to try?