User Impersonation broken after upgrade: 6.8 -> 7.3

jetnet · August 21, 2019, 2:36pm

I successfully used SSO in Kibana as described in the blog.
Unfortunately it stopped working after upgrade to latest version, I'm getting Forbidden all the time now:

HTTP Response:

< HTTP/1.1 403 Forbidden
< Cache-Control: no-cache
< Content-Type: application/json; charset=utf-8
< kbn-name: kibana
< kbn-xpack-sig: 69a45cdb16d334197d592ac3d22dd89e
< X-Powered-By: ARR/3.0
< Persistent-Auth: true
< X-Powered-By: ASP.NET
< Date: Wed, 21 Aug 2019 14:28:21 GMT
< Content-Length: 60
<
* STATE: PERFORM => DONE handle 0x600057870; line 1980 (connection #0)
* multi_done
* Connection #0 to host localhost left intact
* Expire cleared
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

kibana.log:

{
	"type": "response",
	"@timestamp": "2019-08-21T14:28:21Z",
	"tags": [],
	"pid": 6496,
	"method": "get",
	"statusCode": 403,
	"req": {
		"url": "/",
		"method": "get",
		"headers": {
			"connection": "Keep-Alive",
			"accept": "*/*",
			"accept-encoding": "peerdist",
			"host": "localhost:5601",
			"max-forwards": "10",
			"user-agent": "curl/7.59.0",
			"x-original-url": "/",
			"x-rewrite-url": "/",
			"es-security-runas-user": "first.last@domain.com",
			"x-forwarded-for": "[::1]:56315",
			"x-arr-ssl": "1024|256|C=US, ..., CN=localhost",
			"x-arr-log-id": "d9f6f096-226b-49d2-a5f0-aa78c6a3a011",
			"x-p2p-peerdist": "Version=1.1",
			"x-p2p-peerdistex": "MinContentInformation=1.0, MaxContentInformation=2.0"
		},
		"remoteAddress": "127.0.0.1",
		"userAgent": "127.0.0.1"
	},
	"res": {
		"statusCode": 403,
		"responseTime": 108,
		"contentLength": 9
	},
	"message": "GET / 403 108ms - 9.0B"
}

Most probably, it does not work because of the permissions for Kibana spaces. I gave full Kibana-spaces permissions to all roles in question, but it didn't help.

What could be missing here?

P.S. direct requests to ES with the es-security-runas-user header work.
Thanks!

jetnet · August 21, 2019, 3:00pm

adding the kibana log messages, when requesting /app/kibana path:

{
	"type": "log",
	"@timestamp": "2019-08-21T14:56:29Z",
	"tags": ["error", "plugins", "spaces"],
	"pid": 6496,
	"message": "Unable to navigate to space \"default\", redirecting to Space Selector. Error: Unauthorized to get default space"
}{
	"type": "response",
	"@timestamp": "2019-08-21T14:56:29Z",
	"tags": [],
	"pid": 6496,
	"method": "get",
	"statusCode": 302,
	"req": {
		"url": "/app/kibana",
		"method": "get",
		"headers": {
			"connection": "Keep-Alive",
			"accept": "*/*",
			"accept-encoding": "peerdist",
			"host": "localhost:5601",
			"max-forwards": "10",
			"user-agent": "curl/7.59.0",
			"x-original-url": "/app/kibana",
			"x-rewrite-url": "/app/kibana",
			"es-security-runas-user": "first.last@domain.com",
			"x-forwarded-for": "[::1]:58127",
			"x-arr-ssl": "1024|256|C=US, ..., CN=localhost",
			"x-arr-log-id": "10857a34-98ad-401a-80d3-a0fc53cf401a",
			"x-p2p-peerdist": "Version=1.1",
			"x-p2p-peerdistex": "MinContentInformation=1.0, MaxContentInformation=2.0"
		},
		"remoteAddress": "127.0.0.1",
		"userAgent": "127.0.0.1"
	},
	"res": {
		"statusCode": 302,
		"responseTime": 186,
		"contentLength": 9
	},
	"message": "GET /app/kibana 302 186ms - 9.0B"
}

jetnet · August 21, 2019, 3:18pm

sorry, all good. There was a very small typo in the role name

But it's important to know, that such migrations require granting permissions to Kibana spaces. That's new for 7.x.