Unable to access Kibana monitoring plugin

[gitime]

Hi,

I am using ELK GA 5.0.0 in my Linux. Below is my configuration;

elasticsearch.yml

xpack.security.enabled: false
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.watcher.enabled: false
readonlyrest:
  enable: true
  response_if_req_forbidden: Invalid login
  access_control_rules:
    - name: Settings1
      auth_key: kibana:kibanapassword
      type: allow
    - name: Settings2
      auth_key: elastic:elasticpassword
      type: allow

kibana.yml

xpack.security.enabled: false
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.reporting.enabled: false
elasticsearch.username: "kibana"
elasticsearch.password: "kibanapassword"

But when I try to access the monitoring plugin of Kibana, I am getting an error page in Kibana saying like;

Access Denied
You are not authorized to access Monitoring. To use Monitoring, you need the privileges granted by both the kibana_user and monitoring_user roles.
If you are attempting to access a dedicated monitoring cluster, this might be because you are logged in as a user that is not configured on the monitoring cluster.

Below are the error traces in my elasticsearch and kibana consoles;

elasticsearch log

[2016-12-15T18:16:29,005][INFO ][o.e.p.r.a.ACL ] no block has matched, forbidding by default: { action: indices:data/read/search, OA:192.168.0.1, indices:[.monitoring-data-2], M:POST, P:/.monitoring-data-2/_count, C:<OMITTED, LENGTH=0>, Headers:[Host=192.168.0.1:9200, Content-Length=0, Connection=keep-alive] }

kibana log

request [12:44:38.962] [error][monitoring-ui] Error: Unauthorized
    at Object.exports.create (/elk/kibana-5.0.0-linux-x86_64/node_modules/boom/lib/index.js:21:17)
    at Object.exports.unauthorized (/elk/kibana-5.0.0-linux-x86_64/node_modules/boom/lib/index.js:87:23)
    at /elk/kibana-5.0.0-linux-x86_64/src/core_plugins/elasticsearch/lib/call_with_request.js:48:63
    at bound (domain.js:280:14)
    at runBound (domain.js:293:12)
    at tryCatcher (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/util.js:11:23)
    at Promise._settlePromiseFromHandler (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:489:31)
    at Promise._settlePromise (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:546:18)
    at Promise._settlePromise0 (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:591:10)
    at Promise._settlePromises (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/promise.js:670:18)
    at Async._drainQueue (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:125:16)
    at Async._drainQueues (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:135:10)
    at Immediate.Async.drainQueues (/elk/kibana-5.0.0-linux-x86_64/plugins/x-pack/node_modules/bluebird/js/release/async.js:16:14)
    at runCallback (timers.js:637:20)
    at tryOnImmediate (timers.js:610:5)
    at processImmediate [as _immediateCallback] (timers.js:582:5)

I have tried both credentials in kibana, but of no use. How can I access monitoring plugin (monitoring page in kibana). When i remove readonlyrest settings from elasticsearch.yml, everything works fine when I restart cluster. How can I fix this?

Thank you.

[sscarduzio]

Hello @gitime thanks for the good analysis. If you see reasonlyrest log line you pasted, kibana does not provide authorisation header for that http request.

looks like kibana is ignoring its configured credentials for the scope of a certain request.

[gitime]

Hi @sscarduzio thanks for your reply, can you tell me how to fix this? My requirement is to authenticate Kibana user access, and I want to use Kibana's monitoring plugin (part of X-Pack) Screenshot

[sscarduzio]

I reported the bug to Kibana elastic/kibana#9583

[sscarduzio]

Try now with readonlyrest 1.13.0 and a build of kibana from https://github.com/elastic/kibana/tree/5.1#snapshot-builds
I made it work today with this setup, although I didn't install the motnitoring feature...

[aeneaswiener]

I am still seeing this failure to access the Marvel monitoring page with ES 5.2.0, Kibana 5.2.0 and readonlyrest 1.13.2_es5.2.0

@sscarduzio can you confirm if accessing Marvel at /app/monitoring works for you?

[sscarduzio]

Just tested 5.2.0 myself: you are right, monitoring won't load because xpack code is still affected by the above bug (kibana sending unauthenticated requests).

[2017-02-10T19:02:49,562][INFO ][o.e.p.r.a.ACL            ]  no block has matched, forbidding by default: { ID:ecf5799cf6244f45bfb0b95b5ebd506a, TYP:SearchRequest, USR:null, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:.monitoring-data-2, MET:POST, PTH:/.monitoring-data-2/_count, CNT:<OMITTED, LENGTH=0>, HDR:Connection,Host,Content-Length, EFF:0, HIS:[Settings2->[auth_key->false]], [Settings1->[auth_key->false]] }

And btw, also time lion produces a non authenticated (yet, non fatal request)

 no block has matched, forbidding by default: { ID:572ec82fe9f5408fbd4a615a92fbd51c, TYP:GetRequest, USR:null, BRS:false, ACT:indices:data/read/get, OA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/config/5.2.0, CNT:<OMITTED, LENGTH=0>, HDR:Connection,Host,Content-Length, EFF:0, HIS:[Settings1->[auth_key->false]], [Settings2->[auth_key->false]] }

[gitime]

Hi,

Just downloaded latest plugin ang upgraded to ELK 5.2.0, still authentication for monitoring not working. Any hope? :(

[sscarduzio]

@gitime there's a discussion on Kibana project about this, they're working on it. elastic/kibana/issues/9583

[nan008]

Any new word on the fix for ES 5.2? We went with X pack for monitoring as well and getting the same behavior as OP.

[sscarduzio]

@nan008 @gitime @aeneaswiener and everyone else interested: this is handled by Kibana team in an internal ticket, all we can do is put a +1 on my github issue elastic/kibana #9583