When I log in to Kibana as kibana_system user, it says "You do not have permission"

Hi there.
When I log in to Kibana as kibana_system user, it says "You do not have permission to access the requested page".
As elastic user, the dashboard is displayed.

The reproduction procedure is as follows.

step 1.

$ mkdir work
$ cd work
$ wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.15.1-linux-x86_64.tar.gz
$ wget https://artifacts.elastic.co/downloads/kibana/kibana-7.15.1-linux-x86_64.tar.gz
$ tar xvzf elasticsearch-7.15.1-linux-x86_64.tar.gz
$ tar xvzf kibana-7.15.1-linux-x86_64.tar.gz

step 2.

$ cd elasticsearch-7.15.1
$ cp config/elasticsearch.yml config/elasticsearch.yml.orig
$ vi config/elasticsearch.yml
(add "xpack.security.enabled: true")
$ diff -u config/elasticsearch.yml.orig config/elasticsearch.yml
--- config/elasticsearch.yml.orig       2021-12-02 17:38:40.112698983 +0900
+++ config/elasticsearch.yml    2021-12-02 16:58:35.519820314 +0900
@@ -1,3 +1,5 @@
+xpack.security.enabled: true
+
 # ======================== Elasticsearch Configuration =========================
 #
 # NOTE: Elasticsearch comes with reasonable defaults for most settings.

step 3.

$ cd kibana-7.15.1-linux-x86_64
$ cp config/kibana.yml config/kibana.yml.orig
$ vi config/kibana.yml
(add "server.host", "elasticsearch.username", "elasticsearch.password")
$ diff -u config/kibana.yml.orig config/kibana.yml
--- config/kibana.yml.orig      2021-12-02 17:40:52.814875169 +0900
+++ config/kibana.yml   2021-12-02 17:15:39.903397334 +0900
@@ -5,6 +5,7 @@
 # The default is 'localhost', which usually means remote machines will not be able to connect.
 # To allow connections from remote users, set this parameter to a non-loopback address.
 #server.host: "localhost"
+server.host: "192.168.56.103"

 # Enables you to specify a path to mount Kibana at if you are running behind a proxy.
 # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
@@ -42,8 +43,8 @@
 # the username and password that the Kibana server uses to perform maintenance on the Kibana
 # index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
 # is proxied through the Kibana server.
-#elasticsearch.username: "kibana_system"
-#elasticsearch.password: "pass"
+elasticsearch.username: "kibana_system"
+elasticsearch.password: "kibana_system_password"

 # Kibana can also authenticate to Elasticsearch via "service account tokens".
 # If may use this token instead of a username/password.

step 4.

$ elasticsearch-7.15.1/bin/elasticsearch (leave it running)

step 5.

$ elasticsearch-7.15.1/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: (elastic_password)
Reenter password for [elastic]:
Enter password for [apm_system]: (apm_system_password)
Reenter password for [apm_system]:
Enter password for [kibana_system]: (kibana_system_password)
Reenter password for [kibana_system]:
Enter password for [logstash_system]: (logstash_system_password)
Reenter password for [logstash_system]:
Enter password for [beats_system]: (beats_system_password)
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]: (remote_monitoring_user_password)
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

$ curl -u elastic:elastic_password http://localhost:9200/
{
  "name" : "elk",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "2iUn6TqeSnuw91kyDPg5Eg",
  "version" : {
    "number" : "7.15.1",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "83c34f456ae29d60e94d886e455e6a3409bba9ed",
    "build_date" : "2021-10-07T21:56:19.031608185Z",
    "build_snapshot" : false,
    "lucene_version" : "8.9.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
$ curl -u apm_system:apm_system_password http://localhost:9200/
(same as above)
$ curl -u kibana_system:kibana_system_password http://localhost:9200/
(same as above)
$ curl -u logstash_system:logstash_system_password http://localhost:9200/
(same as above)
$ curl -u beats_system:beats_system_password http://localhost:9200/
(same as above)
$ curl -u remote_monitoring_user:remote_monitoring_user_password http://localhost:9200/
(same as above)

step 6.

$ kibana-7.15.1-linux-x86_64/bin/kibana (leave it running)

step 7.
Access http://192.168.56.103:5601/ with a browser.

vanilla-es-kibana-11347×723 34.8 KB

vanilla-es-kibana-21347×723 24.5 KB

vanilla-es-kibana-31347×723 34.2 KB

vanilla-es-kibana-41347×723 86.2 KB

kibana_system is not intended to be used as a login user to Kibana UI.

It only intended use is the user used to login to Elasticsearch from the Kibana server set in the kibana.yml file.

elasticsearch.username: and elasticsearch.password:

The behavior you are seeing is expected.

kibana_system
The user Kibana uses to connect and communicate with Elasticsearch.

Thank you for your advice.
It seems I didn't read the documentation enough.
The procedure I have done was missing items #8 through #11 below.
(Is "10. Grant users ..." optional?)

8. Temporarily log in to Kibana using the built-in elastic superuser so you can create new users and assign roles.

9. Create roles and users to grant access to Kibana.

10. Grant users access to the indices that they will be working with in Kibana.

11. Log out of Kibana and verify that you can log in as a normal user.

Yes create roles with permissions / access to indices etc then assign roles to users. Pretty standard RBAC approach.

Thanks a lot!

I can now view the dashboard by performing steps #8, #9 and #11.

8. Temporarily log in to Kibana using the built-in elastic superuser

9. Create roles and users to grant access to Kibana.

I have created a user "tadashi".
And assigned the kibana_admin role to the user "tadashi".

11. Log out of Kibana and verify that you can log in as a normal user.

Success to log in as the user "tadashi".

Thanks again.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.