-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kibana user can't change own password in cloud deployments #88484
Comments
cc @elastic/kibana-security |
Interestingly enough, when using Stack Management > Users to change a password:
|
This has been caught by the cloud test failure : #86520 |
This appears to be a problem with the Cloud proxy. We cannot reproduce this locally in Kibana, only in the Cloud environment. We tested the following scenarios within Kibana:
We enabled verbose logging and audit logging in Elasticsearch, and we also enabled verbose logging in Kibana. In the failure cases, Kibana logs showed the 40, but there are no logs on Elasticsearch indicating that the request was received. We also checked the Elasticsearch proxy logs (go to Discover and search for From the Kibana perspective, the only difference between the two failure cases and the three success cases is that the failure cases include a request authorization header. See the code snippet here: kibana/x-pack/plugins/security/server/routes/users/change_password.ts Lines 33 to 72 in 9eb993a
|
Is there any evidence (eg in the Kibana logs) that Kibana issued the request that is never received by ES? (Eg if the proxy was the issue presumably the request errors out in Kibana - is the error logged?) The proxy definitely doesn't parse the header so it would be very unexpected if the presence or not of an auth header changes the HTTP-level behavior within Cloud. Also the proxy doesn't know what version its routing to, so if a given request works with 7.10 it will always work with 7.11 (unless of course the request has changed from 7.10 to 7.11,) |
Yes, Kibana makes a call to the Elasticsearch client which returns a 404 error. This is present in the Kibana logs, but the same request does not show up in the Elasticsearch proxy logs.
We did start using the new ES client in 7.11 (PR #84528), but it is making the same request. And it works locally, without a proxy in front of ES. |
Can you get the exact body and (I'm struggling to come up with an explanation that: given an identical request X, if you send X to a 7.10 ES cluster it works, but if you send X to a 7.11 cluster then the proxy fails. It seems way more likely X is different.) |
We did this in the test case above "Dev Tools : Change your own password, results in success", it's a short request:
It does work in 7.11 through Kibana dev tools (and we see that request in the proxy logs). It doesn't work when changing your own password via Kibana's ES client (we don't see the request in the proxy logs). Edit: I recreated the same command to my staging deployment using curl:
It results in a 200 success. |
I looked in the proxy application error logs and couldn't find anything that lined up with the counts/times for 404s occurring. There were a few "content-length is wrong" errors and a few "connection reset by peer" errors at similar, but I don't think they are related. It might be necessary to run a local Kibana hitting a Cloud ES so you can see exactly what the ES client is doing? |
OK, good idea, I'll try that and report back here, thanks. |
It appears that the source of our problems is this line:
It is intended to ensure that the password is provided in the Authorization header, regardless of what authentication provider is used (e.g., Token provider). However, it has the unintended side effect of including all of the end user's request headers, and overwriting some of the ES client's request headers. I tested and verified this by running Kibana locally, connecting to a cloud ES instance, and intercepting the HTTPS traffic. Here is a comparison of I believe the correct fix is to remove the specified line. The authorization header is the only one we need to include in the ES client options. Will open a PR shortly. |
Good find @jportner! @AlexP-Elastic is there any way to track down issues like this via proxy or any other available type of logs (ES API endpoint in the Cloud is being accessed with an invalid/not-allowed |
@azasypkin this issue did make it clear that we need to log the "no matching id", we discussed a bit in cloud slack - @dtuck9 when you get a moment could you create an issue? |
Found in version
Browser
Steps to reproduce
Expected result
Actual result
404
Additional information
The text was updated successfully, but these errors were encountered: