Kibana can not be set up when set a non-root user for elasticsearch.username in kibana.yml

[ChristinaLy]

Steps to reproduce:

1. add user and index: {"username":"admin","password":"045928218d6d5a42f976163d70cdfe9226e9d1c3ea6bf1647ae1d8f44c2edc7d","indices":["/.kibana"],"created":"2016-07-08T03:35:13-0400"},
2. Modify the kibana.yml, add the following info: elasticsearch.username: "admin" elasticsearch.password: "somepass"
3. Start Kibana and show error info: log [05:35:56.789] [info][status][plugin:kibana] Status changed from uninitialized to green - Ready log [05:35:56.844] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow - Waiting for Elasticsearch log [05:35:56.872] [error][elasticsearch] Request error, retrying -- Parse Error log [05:35:56.878] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green - Ready log [05:35:56.885] [info][status][plugin:markdown_vis] Status changed from uninitialized to green - Ready log [05:35:56.893] [warning][elasticsearch] Unable to revive connection: http://xx.xx.xx.xx:9200/ log [05:35:56.894] [warning][elasticsearch] No living connections log [05:35:56.897] [error][status][plugin:elasticsearch] Status changed from yellow to red - Unable to connect to Elasticsearch at http://xx.xx.xx.xx:9200. Retrying in 2.5 seconds. log [05:35:56.899] [info][status][plugin:metric_vis] Status changed from uninitialized to green - Ready log [05:35:56.905] [info][status][plugin:spyModes] Status changed from uninitialized to green - Ready log [05:35:56.910] [info][status][plugin:statusPage] Status changed from uninitialized to green - Ready log [05:35:56.915] [info][status][plugin:table_vis] Status changed from uninitialized to green - Ready log [05:35:56.933] [info][listening] Server running at http://0.0.0.0:5601 log [05:35:59.405] [warning][elasticsearch] Unable to revive connection: http://xx.xx.xx.xx:9200/ log [05:35:59.406] [warning][elasticsearch] No living connections log [05:36:01.914] [warning][elasticsearch] Unable to revive connection: http://xx.xx.xx.xx:9200/ log [05:36:01.916] [warning][elasticsearch] No living connections

But with the root user, can start kibana successfully. elasticsearch.username: "root" elasticsearch.password: "rootpass"

[lmangani]

Hi @ChristinaLy At this time for non-root user you need to specifically add permissions to access the service indexes Kibana needs. You can check the Elasticsearch logs to see what gets blocked and add permissions to the admin account - let us know if you need assistance while trying

[ChristinaLy]

@lmangani Thanks for your quick response:) I'd like to know what do you mean "service indexes Kibana needs"? Does this mean the index .kibana?

I tried to use restful api to access the .kibana index, it works well. _curl -u admin -XGET 'xx.xx.xx.xx:9200/.kibana/search?pretty' Enter host password for user 'admin': { "took" : 13

By the way, there is no error/warning messages in Elasticsearch logs. The latest messages in Elasticsearch log is: [2016-07-08 06:26:38,492][INFO ][gateway ] [Tamara Rahn] recovered [4] indices into cluster_state

[lmangani]

@ChristinaLy when access is prevented a logline should from elasticfence should appear indicating the user and the path trying to be accessed IF blocked by the plugin. I will try to replicate this.

The admin user should be whitelisted for .kibana* or you can start with a more permissive approach and trim it down later, ie: "*,_*:

Maybe other users can share their whitelist for Kibana4 and we can integrate it directly in new releases

[lmangani]

Did the suggestion solve your issue?

[lmangani]

The latest snapshot for ES 2.3.4 enables defining filters are regex match rules and greatly simplifies the task. You can be as permissive as you want with the custom user rules now, ie:

/logstash.*,/_.*,/.kibana,/

[ChristinaLy]

@lmangani Tried all the method you provided, it didn't work. I haven't tried with ES 2.3.4 yet since i have to user ES 2.1.1 for some reason.

Now I am using the root user for kibana.:)

[lmangani]

@ChristinaLy thanks for the update, root will of course work fine. We'll try to backport the regex matching to earlier ES plugin versions but no promises.

Feel free to reopen the ticket if needed and thanks for the report!