build.sh does not check existence of mandatory tool GPG and mandatory setup of GPG keys but fails with an error:

[INFO] --- maven-gpg-plugin:1.6:sign (sign-artifacts) @ opendistro_security_kibana_plugin ---
gpg: directory '/Users/hannu/.gnupg' created
gpg: keybox '/Users/hannu/.gnupg/pubring.kbx' created
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.149 s
[INFO] Finished at: 2019-06-03T14:49:57+03:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project opendistro_security_kibana_plugin: Exit code: 2 -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
/usr/local/Cellar/maven/3.6.1/bin/mvn clean deploy -Prelease failed

At least documenting what is needed would be great.

I've seen several releases cut on this repo for the plugin (v0.9.0.1 & v0.9.0.2 specifically), but don't see any matching build artifacts on the https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/ path that the other versions are under.

Should there also be artifacts for these builds if they're tagged and cut on Github, or should formal GH releases not be done for these if they're some form of intermediate build?

I have a setup where I have Kibana behind a reverse proxy under a sub path "/opendistro-kibana" with openID auth (keycloak).

I have configured Kibana with basePath = "/opendistro-kibana" and opendistro-security.openid.base_redirect_url = "https://somehostname.com/opendistro-kibana/".

I have configured the reverse proxy to strip path from the URL.

When I point my browser to that location, I get redirected automatically as follows:

1. To /opendistro-kibana/auth/openid/login?nextUrl=/
2. To keycloak in some different subpath
3. Back to https://somehostname.com/opendistro-kibana/auth/openid/login?state=XXX&session_state=YYY&code=ZZZ
4. To "/" on that server which obviously is not Kibana but something completely different.

Am I doing something wrong?

Could you please provide build instructions from source?

We work in a multi-tenant environment, and I was hoping to automate the creation of index patterns on a per-tenant basis.

We have roles similar to the following:

team_users:
  indices:
    'namespace-team-*':
      '*':
        - READ
  tenants:
    team_tenant: RO

admin_team_users:
  indices:
    'namespace-team-*':
      '*':
        - UNLIMITED
  tenants:
    team_tenant: RW
.
.
.

And roles_mappings:

team_users:
  backendroles:
    - k8s-team-admins
    - k8s-team-users

admin_team_users:
  backendroles:
    - k8s-admins
.
.
.

The above successfully allows members of the k8s-admins group to log into kibana, switch to the matching team_tenant, and create index patterns (currently of the form namespace-team-*). With this, the members of the k8s-team-admins/users groups now have read-only access to the logs in their given namespace.

Ideally, we would like to be able to issue a curl command from our local machines as admin users, using a specific team_tenant that we have RW access to, and set up the index pattern of the form namespace-team-*. As of yet, I haven't been able to track down if this is supported, but may be missing something. Any help would be greatly appreciated!

When installing on 6.5.4 according to the docs I would use 0.7.1 but when I attempt to install i get:

sudo bin/kibana-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-0.7.1.0.zip
Attempting to transfer from https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-0.7.1.0.zip
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-0.7.1.0.zip/https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistro_security_kibana_plugin-0.7.1.0.zip-6.5.4.zip

looks like kibana is appending it's own version to the plugin and mangling the url.

Hello,

we are using OpenID with Kibana, Elasticsearch and Keycloak.

After working 5 Minutes in the Kibana Dashboards the client doesn't response. After Opening the devtools in Chrome we see a 401. Switching e.g. from Dashboard to Discover / Visualization also doesn't work.

But if we switch from the Dashboard e.g. to the Timelion the token will be refreshed and the user can continue working.

We are using a Key-Cloak-Realm working perfect in other Applications (Spring Boot etc.). The realm has a Access Token Lifespan from 5 Minutes.

We assumme that the refresh of the token not working correct.

kibana.yml

# Default Kibana configuration from kibana-docker.

server.name: "kibana"
server.host: "XXX"
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

# Enable OpenID authentication
opendistro_security.auth.type: "openid"

# The IdP metadata endpoint
opendistro_security.openid.connect_url: "http://CCC:9100/sso/realms/YYY/.well-known/openid-configuration"
#opendistro_security.openid.connect_url: "https://XXX.XX/sso/realms/YYY/.well-known/openid-configuration"

# The ID of the OpenID Connect client in your IdP
opendistro_security.openid.client_id: "ELK"

# The client secret of the OpenID Connect client
opendistro_security.openid.client_secret: "ed...7"
opendistro_security.openid.base_redirect_url: "https://XXX"
#

elasticsearch.url: "https://XXX/es"

Security Config Elasticsearch

opendistro_security:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    kibana:
      # Kibana multitenancy - 
      # see <TBD>
      # To make this work you need to install <TBD>
      multitenancy_enabled: true
      server_username: kibanaserver
      #index: '.kibana'
      #do_not_fail_on_forbidden: false
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
        #internalProxies: '.*' # trust all internal proxies, regex pattern
        remoteIpHeader:  'x-forwarded-for'
        proxiesHeader:   'x-forwarded-by'
        #trustedProxies: '.*' # trust all external proxies, regex pattern
        ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
        ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
        ###### and here https://tools.ietf.org/html/rfc7239
        ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
    authc:
      kerberos_auth_domain: 
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos 
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain: 
        enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      openid_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles_elk
            openid_connect_url: http://CCC:9100/sso/realms/YYY/.well-known/openid-configuration
            #verify_hostnames: true
            #enable_ssl: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain2: 
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern          
      proxy_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 4
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 7
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap 
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username 
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null
    authz:    
      roles_from_myldap:
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap 
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
              - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username 
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute            
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            userrolename: disabled
            #userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username 
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users: 
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'    
      roles_from_another_ldap:
        enabled: false
        authorization_backend:
          type: ldap 
          #config goes here ...

Log from kibana:

kibana | {"type":"response","@timestamp":"2019-05-06T06:37:39Z","tags":[],"pid":1,"method":"get","statusCode":401,"req":{"url":"/api/saved_objects/_find?type=dashboard&per_page=1000&page=1&search_fields=title%5E3&search_fields=description","method":"get","headers":{"host":"gisu031.enviamgroup.de:9201","kbn-version":"6.5.4","user-agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36","content-type":"application/json","accept":"*/*","referer":"https://envia-service-net/kibana/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7","x-forwarded-proto":"https","x-forwarded-port":"443","x-forwarded-for":"172.25.153.120","x-forwarded-host":"envia-service-net","x-forwarded-server":"gisu031.enviamgroup","connection":"Keep-Alive"},"remoteAddress":"172.17.0.1","userAgent":"172.17.0.1","referer":"https://envia-service-net/kibana/app/kibana"},"res":{"statusCode":401,"responseTime":4,"contentLength":9},"message":"GET /api/saved_objects/_find?type=dashboard&per_page=1000&page=1&search_fields=title%5E3&search_fields=description 401 4ms - 9.0B"}

Log from elasticsearch:

[2019-05-06T08:43:52,648][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [K3yiX0x] Extracting JWT token from eyJhbGciOiJSUzI1NiI....EO4vPMzm3ZQ failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: The token has expired
        at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:60) ~[opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials0(AbstractHTTPJwtAuthenticator.java:103) [opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.access$000(AbstractHTTPJwtAuthenticator.java:45) [opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:85) [opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:82) [opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at java.security.AccessController.doPrivileged(Native Method) [?:?]
        at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials(AbstractHTTPJwtAuthenticator.java:82) [opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.opendistroforelasticsearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:448) [opendistro_security-0.7.0.1.jar:0.7.0.1]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.checkAndAuthenticateRequest(OpenDistroSecurityRestFilter.java:146) [opendistro_security-0.7.0.1.jar:0.7.0.1]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter.access$000(OpenDistroSecurityRestFilter.java:63) [opendistro_security-0.7.0.1.jar:0.7.0.1]
        at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:93) [opendistro_security-0.7.0.1.jar:0.7.0.1]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:239) [elasticsearch-6.5.4.jar:6.5.4]
        at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:335) [elasticsearch-6.5.4.jar:6.5.4]
        at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:173) [elasticsearch-6.5.4.jar:6.5.4]
        at org.elasticsearch.http.netty4.Netty4HttpServerTransport.dispatchRequest(Netty4HttpServerTransport.java:545) [transport-netty4-client-6.5.4.jar:6.5.4]
        at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:137) [transport-netty4-client-6.5.4.jar:6.5.4]
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:105) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at org.elasticsearch.http.netty4.pipelining.HttpPipeliningHandler.channelRead(HttpPipeliningHandler.java:68) [transport-netty4-client-6.5.4.jar:6.5.4]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.MessageToMessageCodec.channelRead(MessageToMessageCodec.java:111) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297) [netty-codec-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.ChannelInboundHandlerAdapter.channelRead(ChannelInboundHandlerAdapter.java:86) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]
        at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.apache.cxf.rs.security.jose.jwt.JwtException: The token has expired
        at org.apache.cxf.rs.security.jose.jwt.JwtUtils.validateJwtExpiry(JwtUtils.java:58) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.validateClaims(JwtVerifier.java:79) ~[opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:56) ~[opendistro_security_advanced_modules-0.7.0.1.jar:0.7.0.1]
        ... 60 more

As an enhancement request, I would like to ask for a configuration to change how long a session lasts until it gets logged out.

Security without security. Can it be possible to hide AD bind and password in Kibana UI?

Opendistro-for-elasticsearch version 1.0.0
Ubuntu 18.04

Can't add Backend roles for Internal User (logstash) by admin.
Please check this URL:
http://127.0.0.1:5601/app/security-configuration#/internalusers/edit/logstash?_g=()

I'm trying to do keycloak auth and I have setup everything for it.

I have client id and browser authentication flow working seemingly ok. Keycloak logs show that appropriate code-to-token API is being called with correct authentication and all. But for some reason Kibana is still giving me error like this in the browser:

"Authentication failed. Please provide a new token."

What could possibly be the reason for this?

I don't see too many debug logging options for openid auth nor bell itself so I am in the dark with this.

When attempting to uninstall kibana plugin for security, the following is observed:

[@localhost kibana]$ sudo bin/kibana-plugin list
[email protected]
[email protected]
[@localhost kibana]$ sudo bin/kibana-plugin remove [email protected]
Unable to remove plugin because of error: "Plugin [[email protected]] is not installed"

The correct way to remove this plugin is to use:
[@localhost kibana]$ sudo bin/kibana-plugin remove opendistro_security

The expected way to remove this plugin is to use:
[@localhost kibana]$ sudo bin/kibana-plugin remove [email protected]

Please amend the name so the expected behaviour is observed.

In addition:
Kibana fails to restart after uninstallation, Kibana status from systemctl status kibana.service returns green but cannot be accessed via browser at localhost:5601. Kibana is not ready and constantly attempts to restart.
Log files from running:

journalctl -u kibana.service

May 24 16:59:48 localhost.localdomain kibana[18792]: {"type":"log","@timestamp":"2019-05-24T08:59:48Z","tags":["plugin","warning"],"pid":18792,"path":"/usr/share/kibana/src/legacy/core_plugins/ems_util","message
May 24 16:59:50 localhost.localdomain kibana[18792]: {"type":"log","@timestamp":"2019-05-24T08:59:50Z","tags":["fatal","root"],"pid":18792,"message":"{ [Error: EACCES: permission denied, rmdir '/usr/share/kibana
May 24 16:59:50 localhost.localdomain kibana[18792]: FATAL Error: EACCES: permission denied, rmdir '/usr/share/kibana/optimize/bundles/src/ui'
May 24 16:59:50 localhost.localdomain systemd[1]: kibana.service: main process exited, code=exited, status=1/FAILURE
May 24 16:59:50 localhost.localdomain systemd[1]: Unit kibana.service entered failed state.
May 24 16:59:50 localhost.localdomain systemd[1]: kibana.service failed.
May 24 16:59:50 localhost.localdomain systemd[1]: kibana.service holdoff time over, scheduling restart.
May 24 16:59:50 localhost.localdomain systemd[1]: Stopped Kibana.
May 24 16:59:50 localhost.localdomain systemd[1]: Started Kibana.
May 24 17:00:00 localhost.localdomain kibana[18805]: {"type":"log","@timestamp":"2019-05-24T09:00:00Z","tags":["plugin","warning"],"pid":18805,"path":"/usr/share/kibana/src/legacy/core_plugins/ems_util","message
May 24 17:00:01 localhost.localdomain kibana[18805]: {"type":"log","@timestamp":"2019-05-24T09:00:01Z","tags":["fatal","root"],"pid":18805,"message":"{ [Error: EACCES: permission denied, rmdir '/usr/share/kibana
May 24 17:00:01 localhost.localdomain kibana[18805]: FATAL Error: EACCES: permission denied, rmdir '/usr/share/kibana/optimize/bundles/src/ui'
May 24 17:00:01 localhost.localdomain systemd[1]: kibana.service: main process exited, code=exited, status=1/FAILURE
May 24 17:00:01 localhost.localdomain systemd[1]: Unit kibana.service entered failed state.
May 24 17:00:01 localhost.localdomain systemd[1]: kibana.service failed.
May 24 17:00:02 localhost.localdomain systemd[1]: kibana.service holdoff time over, scheduling restart.
May 24 17:00:02 localhost.localdomain systemd[1]: Stopped Kibana.
May 24 17:00:02 localhost.localdomain systemd[1]: Started Kibana.

This will continue looping. The fix is to change permissions of folder "'/usr/share/kibana/optimize/bundles/src/ui" by recursively invoking chmod over the optimize folder.
sudo chmod -R 777 optimize
sudo systemctl stop kibana.service
sudo systemctl start kibana.service

After waiting several minutes, kibana will restart as expected.

I'd like to be able to define user X, to have readonly access to specific dashboards.

I'd also like to give user X readonly access to only specific visualisations. If that visualisation is used in a dashboard they DO have access to, then that visualisation should be available.

Version: ES / Kibana 1.0.1

Reproduce:

• Setup keycloak as openid provider in both securityconfig and kibana configuration
• Successfully authenticate
• Wait 1 minute on the main page (or until session expiration / delete cookies )
• Try to browse anywhere
• Kibana will fail to respond unless page is refreshed

What it seems to be happening is Kibana responds with a 302 as you might expect. It then does a CORS OPTIONS request against keycloak (which is enabled and allowed in my keycloak). It then does a GET request against the keycloak auth endpoint which returns a 200 but does not renew the existing session but instead assumes it is logged out. What I believe is happening is cookies are not being sent in this final request. After keycloak returns a 200 Kibana will fail to respond unless you browse to timelion or the security panel.

Edit: I am not expert on this codebase... but it seems like there is a pretty massive difference between how searchguard handles this and how open distro does.

This is apparent here: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/26962427413c7cf734c64ccf1db06d9582477f2f/lib/auth/types/AuthType.js#L178

Compared to here: https://github.com/floragunncom/search-guard-kibana-plugin/blob/77ff5e7503d60841fb987274cc9dd20cd9f90806/lib/auth/types/AuthType.js#L197

and specifically here: https://github.com/floragunncom/search-guard-kibana-plugin/blob/77ff5e7503d60841fb987274cc9dd20cd9f90806/lib/auth/types/AuthType.js#L236

I believe I should also be getting a 401 in this case... otherwise the plugin is reliant on cors enabled in keycloak (or any openid provider) to work at all.

When using OpenID Connect I get this error if the kid contains a /

com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: Unknown kid J4j+I06r0I0vpYnBNucugV8xAPV5\/Xv4uYrrpwwSNK0=
	at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet.getKeyWithKeyId(SelfRefreshingKeySet.java:118) ~[opendistro_security_advanced_modules-0.7.0.0.jar:0.7.0.0]
	at com.amazon.dlic.auth.http.jwt.keybyoidc.SelfRefreshingKeySet.getKey(SelfRefreshingKeySet.java:58) ~[opendistro_security_advanced_modules-0.7.0.0.jar:0.7.0.0]
	at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:41) ~[opendistro_security_advanced_modules-0.7.0.0.jar:0.7.0.0]
	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials0(AbstractHTTPJwtAuthenticator.java:103) 

It seems that the forward-slash in the kid is escaped wrong. The real kid should not have \/ but rather just the /

I have several OUs that contain user accounts I'd like to use to authenticate and authorize via LDAP (AD). All of the OUs containing the user accounts are under OU=Core,DC=example,DC=com. However, when I specify that as the "userbase" argument for authc and authz, all login attempts fail. If I change the userbase to be OU=Admins,OU=Core,DC=example,DC=com ... or OU=Service Accounts,OU=Core,DC=example,DC=com ... user accounts in those specific OUs are able to login to Kibana.

Is specifying a parent OU for "userbase" that doesn't directly contain user accounts supported? Is there another option I'm missing to tell the security plugin to recursively look for user accounts in "userbase"?

I'm using amazon/opendistro-for-elasticsearch:0.9.0

We are using opendistro kibana and elasticsearch version. Inspect test for kibana home is failing. As per the version of kibana 0.9.0 its home is /usr/share/kibana instead of /home/kibana.
Due to this when we try to build kibana docker image using RHEL 7.2 as a base image it will file the stig test for kibana home. we defined the kibana home as /usr/share/kibana in test but as during kibana user creation inside docker image its default home inside /etc/passwd is /home/kibana instead of /usr/share/kibana. Due to this stig test is failed

Kibana version in docker: amazon/opendistro-for-elasticsearch-kibana:0.8.0
Elasticsearch version in docker: amazon/opendistro-for-elasticsearch:0.8.0

Reproduction:

1. Activate OpenID SSO in Kibana:

# Enable OpenID authentication
opendistro_security.auth.type: "openid"

# The IdP metadata endpoint
opendistro_security.openid.connect_url: "https://my-keycloak.com"

# The ID of the OpenID Connect client in your IdP
opendistro_security.openid.client_id: "kibana"

# The client secret of the OpenID Connect client
opendistro_security.openid.client_secret: "secret"

2. Activate SSO in Elasticsearch according to documentation:

authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://my-keycloak.com/auth/realms/master/.well-known/openid-configuration

3. In KeyCloak add role to user called: my_own_admin_keycloak
4. Define my_own_admin_kibana role in Kibana by cloning all_access role
5. Define role mapping my_own_admin_keycloak backend role -> my_own_admin_kibana

After those operations when I login with user which has my_own_admin_keycloak role I have full access to all regular features in Kibana/Elasticsearch. The only one thing to which I don't have access is Security sections - all buttons disappear and I can see only Authentication & Authorization button but when I'm trying to get into that section I see javascript errors in webconsole.

To fix that I need to add "admin" role to my user in KeyCloak so then I have full access to all features but I want to avoid adding "admin" role to my users as it gives also permissions in some other services in our company.

Version: opendistro-for-elasticsearch 1.0.0 (docker)

Console log (Chrome):

vendors.bundle.dll.js:formatted:332772 TypeError: Cannot read property 'length' of undefined
    at Scope.$scope.saveObject (security-configuration.bundle.js:8)
    at fn (eval at compile (vendors.bundle.dll.js:formatted:333522), <anonymous>:4:228)
    at callback (vendors.bundle.dll.js:formatted:337319)
    at Scope.$eval (vendors.bundle.dll.js:formatted:335080)
    at Scope.$apply (vendors.bundle.dll.js:formatted:335099)
    at HTMLFormElement.<anonymous> (vendors.bundle.dll.js:formatted:337323)
    at HTMLFormElement.dispatch (vendors.bundle.dll.js:formatted:151434)
    at HTMLFormElement.elemData.handle (vendors.bundle.dll.js:formatted:151344)

Steps to reproduce

1. Log-in as admin user in Kibana
2. Security -> Role Mappings -> Add
3. Add Backend Role -> Fill textbox with role name
4. Click on 'Submit'

Comments
It seems there's a check before saving that uses '$scope.resource.backendroles' instead of '$scope.resouce.backend_roles'

Thanks!

At the moment, when a user does not have the right roles to use the security configuration the security configuration app is still visible, with some or all icons disabled..

Which is weird, misleading and just doesn't look very good...

I would suggest to completely disable the security config when people do not have the right access rights...

The easiest way to do this, and I think the most consistent one is to disable it if there is no rest-api access, which is exposed through: systemstate.getRestApiInfo().has_api_access

Can be done in:

```public/chrome/configuration/enable_configuration.js`

with adding if(systemstate.getRestApiInfo().has_api_access === true)

like below:

    systemstate.loadRestInfo().then(function(){
        if(systemstate.getRestApiInfo().has_api_access === true) {

            chrome.getNavLinkById("security-configuration").hidden = false;
            FeatureCatalogueRegistryProvider.register(() => {
                return {
                    id: 'security-configuration',
                    title: 'Security Configuration',
                    description: 'Configure users, roles and permissions for Open Distro Security.',
                    icon: 'securityApp',
                    path: '/app/security-configuration',
                    showOnHomePage: true,
                    category: FeatureCatalogueCategory.ADMIN
                };
            });
        } else {
            return;
        }
    });```

Any thoughts ???

Not sure if this is the right repo for this issue or not, but figure it's a good place to start.

According to the docs at https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/api/#patch-user, to update individual attributes of an internal user one should submit a request using HTTP PATCH method.

However, the dev tools console in Kibana rejects PATCH as an allowed method:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "child \"method\" fails because [\"method\" must be one of [HEAD, GET, POST, PUT, DELETE]]",
  "validation": {
    "source": "query",
    "keys": [
      "method"
    ]
  }
}

I have confirmed that using curl -XPATCH with the appropriate request body does update the internal user properly.

It would be useful if either:

(a) Kibana were updated to accept PATCH method in dev tools console

or

(b) The API were updated to accept POST method for endpoints currently using PATCH.

I have three tenants and I want them to be displayed in a specific order in tenants tab. Even though I have set up opendistro_security.multitenancy.tenants.preferred: ["C", "B", "A"] in kibana.yml but I still see them alphabetically ordered in tenants tab and A is selected by default. Please assist.

Hi,
I installed the Open distro security_kibana_plugin-0.9.0.0for kibana 6.7.1 and on start of kibana I am getting below error(FATAL Error: cluster 'security' already exists).Please guide

log [11:25:55.225] [info][status][plugin:[email protected]] Status changed from yellow to green - Open Distro Security plugin version 6.7.1 initialised.
log [11:25:55.320] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
log [11:25:56.037] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
log [11:25:58.336] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.341] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.346] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.353] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.360] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.366] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.370] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.375] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.380] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.385] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.388] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.393] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.397] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.402] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [11:25:58.425] [warning][license][xpack] License information from the X-Pack plugin could not be obtained from Elasticsearch for the [data] cluster. Authentication Exception :: {"path":"/_xpack","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm="Open Distro Security""}
log [11:25:59.983] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
log [11:26:00.734] [error][status][plugin:[email protected]] Status changed from uninitialized to red - Authentication Exception
log [11:26:00.778] [fatal][root] Error: cluster 'security' already exists
at Object.create [as createCluster] (D:\ELK\OPen_distro\kibana-6.7.1-windows-x86_64\src\legacy\core_plugins\elasticsearch\lib\create_clusters.js:29:15)
at exports.getClient.server (D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/server/lib/get_client_shield.js:15:48)
at D:\ELK\OPen_distro\kibana-6.7.1-windows-x86_64\node_modules\lodash\index.js:7407:25
at getUserFn (D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/server/lib/get_user.js:11:33)
at D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/server/lib/once_per_server.js:30:15
at memoized (D:\ELK\OPen_distro\kibana-6.7.1-windows-x86_64\node_modules\lodash\index.js:7956:27)
at authorizedUserPreRoutingFn (D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/server/lib/authorized_user_pre_routing.js:14:19)
at D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/server/lib/once_per_server.js:30:15
at memoized (D:\ELK\OPen_distro\kibana-6.7.1-windows-x86_64\node_modules\lodash\index.js:7956:27)
at main (D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/server/routes/main.js:25:36)
at Plugin.init [as externalInit] (D:/ELK/OPen_distro/kibana-6.7.1-windows-x86_64/node_modules/x-pack/plugins/reporting/index.js:178:7)
at process._tickCallback (internal/process/next_tick.js:68:7)

FATAL Error: cluster 'security' already exists

Kibana version:

Kibana 6.7.1

Elasticsearch version:
"number" : "6.7.1"

Server OS version:
EC2 linux

Browser version:
Chrome Version 76.0.3809.100 (Official Build) (64-bit)

Browser OS version:
10.14.6 (18G87)

Describe the bug:

When accessing a kibana discovery link when not authenticated, special characters pluses,+ are changed to spaces, .

Steps to reproduce:

1. Start with a URL to a Simple Discovery search to +"some words"

https://<blahblahblah>.cloudfront.net/app/kibana#/discover?_g=()&_a=(columns:!(_source),index:c3c8c260-aef7-11e9-8263-cd09a7a2dc83,interval:auto,query:(language:lucene,query:'%2B%22some%20words%22'),sort:!('@timestamp',desc))

2. Log out of kibana and then try to visit the above url it redirects to a login where the "next" value is correct. %2B%22some%20words%22"

https://<blahblahblah>.cloudfront.net/login?nextUrl=%2Fapp%2Fkibana#/discover?_g=()&_a=(columns:!(_source),index:c3c8c260-aef7-11e9-8263-cd09a7a2dc83,interval:auto,query:(language:lucene,query:'%2B%22some%20words%22'),sort:!('@timestamp',desc))

3. Log In with username and password.

4. Kibana opens on a discover search with only "some words" , without the + symbol and the incorrect url is in the omnibar.

https://<blahblahblah>.cloudfront.net/app/kibana#/discover?_g=()&_a=(columns:!(_source),index:c3c8c260-aef7-11e9-8263-cd09a7a2dc83,interval:auto,query:(language:lucene,query:'%20"some%20words"'),sort:!('@timestamp',desc))

Expected behavior:
I expected to be taken to the requested url including the + symbol. (which is what happens if I'm already authenticated.

Setup:

• Elasticsearch 7.2.0
• Kibana 7.2.0
• Open Distro security plugin 7.2.0.0
• Multitenancy enabled via opendistro_security.multitenancy.enabled: true option in kibana.yml (and # Kibana multitenancy section uncommented in plugins\opendistro_security\securityconfig\config.yml, though it did'nt seem to have any effects)

Issue:

Kibana reamins in YELLOW status.

Contents of the Plugin Status table:

The following error message is logged by Kibana (e.g. running kibana --verbose in a console window):

[error][migration] Authorization Exception :: {"path":"/_opendistro/_security/tenantinfo","query":{},"statusCode":403,"response":""}
    at respond (C:\elk\kibana-7.2.0-windows-x86_64\node_modules\elasticsearch\src\lib\transport.js:315:15)
    at checkRespForFailure (C:\elk\kibana-7.2.0-windows-x86_64\node_modules\elasticsearch\src\lib\transport.js:274:7)
    at HttpConnector.<anonymous> (C:\elk\kibana-7.2.0-windows-x86_64\node_modules\elasticsearch\src\lib\connectors\http.js:166:7)
    at IncomingMessage.wrapper (C:\elk\kibana-7.2.0-windows-x86_64\node_modules\elasticsearch\node_modules\lodash\lodash.js:4935:19)
    at IncomingMessage.emit (events.js:194:15)
    at endReadableNT (_stream_readable.js:1103:12)
    at process._tickCallback (internal/process/next_tick.js:63:19)

Similar issues were already signaled (#1, #17) but the proposed solutions don't have any effects in my case

NOTE: This issue was originally opened in the wrong repo. I have re-posted the issue here, the correct repo.

https://github.com/opendistro-for-elasticsearch/security/issues/57

I was debugging an un-related issue when i noticed that several resource URLs are returning 404 when loading the security-configuration page.

the 404 URLS are:

%7B%7BroleMappingsSvgURL%7D%7D
%7B%7BrolesSvgURL%7D%7D
%7B%7BactionGroupsSvgURL%7D%7D
%7B%7BinternalUserDatabaseSvgURL%7D%7D
%7B%7BauthenticationSvgURL%7D%7D
%7B%7BpurgeCacheSvgURL%7D%7D

which decodes to:

{{roleMappingsSvgURL}}	
{{rolesSvgURL}}	
{{actionGroupsSvgURL}}	
{{internalUserDatabaseSvgURL}}	
{{authenticationSvgURL}}	
{{purgeCacheSvgURL}}

which look like some sort of JS / HTML template variable is not properly being rendered before the HTML is sent to the browser.

I am using docker-compose to spin up the amazon/opendistro-for-elasticsearch-kibana:0.9.0 image. I am using a reverse proxy between my browser and the kibana instance. traefik is only configured to serve a lets-encrypt certificate and forward all requests with /kibana in the URL to the kibana container. Kibana has been configured to "know" that it's behind a proxy and serve all URLs with the /kibana base:

# from kibana.yml:

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
##
# Because we have traefik in front, we need to configure kibana to server all urls with /kibana
#   prefixed
server.basePath: "/kibana"

See the attached photo to get an idea of which icons are missing.

Would it be possible to have the released/built plugins available online, similar to how elasticsearch opendistro plugins are available here?

From https://opendistro.github.io/for-elasticsearch-docs/docs/install/plugins/:

sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro_security-0.8.0.0.zip
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-alerting/opendistro_alerting-0.8.0.0.zip
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-sql/opendistro_sql-0.8.0.0.zip
sudo bin/elasticsearch-plugin install https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/performance-analyzer/opendistro_performance_analyzer-0.8.0.0.zip

Opendistro-for-elasticsearch version 0.9.0
Ubuntu 18.04.02
While setting up backend role for internal users, dropdown list will ensure that there is no spelling mistakes and make it easier for admin to setup roles.

I have setup an Elasticsaerch and Kibana on my K8s cluster by following this documentation: https://aws.amazon.com/blogs/opensource/open-distro-for-elasticsearch-on-kubernetes/

Everything works with basic auth. Now I want to add Keycloak auth to Kibana. I followed this docu but in Kibana I see only the page "Authentication failed Please provide a new token.".
Docu: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/openid-connect/

Why isn't Kibana showing the me Keycloak login page?

  kibana.yml: |-
    ---
    # Default Kibana configuration from kibana-docker.
    server.name: kibana
    server.host: "0"

    # Replace with Elasticsearch DNS name picked during Service deployment
    elasticsearch.url: ${ELASTICSEARCH_URL}
    elasticsearch.requestTimeout: 360000

    # Kibana TLS Config
    server.ssl.enabled: false
    #server.ssl.key: /usr/share/kibana/config/kibana-key.pem
    #server.ssl.certificate: /usr/share/kibana/config/kibana-crt.pem
    #server.ssl.keyPassphrase: ${KEY_PASSPHRASE}
    
    elasticsearch.ssl.certificate: /usr/share/kibana/config/kibana-crt.pem
    elasticsearch.ssl.key: /usr/share/kibana/config/kibana-key.pem
    elasticsearch.ssl.keyPassphrase: ${KEY_PASSPHRASE}
    elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/kibana-root-ca.pem
    elasticsearch.ssl.verificationMode: certificate

    opendistro_security.allow_client_certificates: true
    
    opendistro_security.cookie.secure: true
    opendistro_security.cookie.password: ${COOKIE_PASS}
    
    opendistro_security.auth.type: "openid"
    opendistro_security.openid.connect_url: "https://keycloak/auth/realms/public/.well-known/openid-configuration"
    opendistro_security.openid.client_id: "id"
    opendistro_security.openid.client_secret: "secret"

    elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]

I'm using elasticsearch and kibana version 0.9.0

Thank you.

It would be really useful to let the user choose a default tenant o at least configure one for a given role for example.

I’m using kibana with SAML authentication.
For some reason when the user logs in, I get a security_authentication cookie on my browser but the expiry time is set to 1h from the login time.

This means 1h after I logged in, regardless of using or not kibana in between, my session expires.

Is there any way to have this cookie expiration update on every request?

If I’m actively using kibana (or using automatic refreshes) I would expect my session to not expire.

Looking at https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/88f7dd343e53fabc466f92b90a9165db105d9b7b/lib/auth/types/saml/Saml.js 1 I can see the following:

        if (tokenPayload.exp) {
        // The token's exp value trumps the config setting
        this.sessionKeepAlive = false;
        session.exp = parseInt(tokenPayload.exp, 10);
    } else if(this.sessionTTL) {
        session.expiryTime = Date.now() + this.sessionTTL
    }

but regardless of which settings I use I don’t get my cookie extended.

Also looking at https://docs.search-guard.com/latest/kibana-authentication-search-guard 1 (which I believe is the base for this plugin) it mentions:

searchguard.session.keepalive boolean, if set to true the session lifetime is extended by searchguard.session.ttl upon each request. Default: true

has anybody been able to setup keepalive so every new request refreshes the security cookie?

Hi, i use opendistro for elasticsearch.
After 1h inactive in interface i need to login again, i want to increase this timeout
is it possible to configure it?
i use ldap authorization
set-cookie: security_authentication=Fe26.2825c7bb605a776758bbed010d99af2930f13dbd16265bdf5f7042dfda81ca910yEcrEdmu8wDHrKOb0yBtYQbxogIjV4NLzjHUK_2IJXvmXq1bxnQJ_iSJj-1qtOALGUAJaIXuS_VOKfu4fTTgajqKMl3B0G3TiH1a-_aKe04s61MfsTIOK1eXEezT4xipI8Qf8ONo9RnjCzW_3Ih21ZASqlFKUtaU42my577T0jGHTGr-DDxf655wh719TOESylhXzH1-QGo8a0mROKpdYHQoY7EcbvgTOsrZjq1ZXROLGHTLEuP9VC4jU1grKoSJk098b3b2bf35cc56a5920628aa5aad7da9ce323c04de3c284bdf66c6db9ded9d1*hT-vlP2OglYA6RAdeMN9tN2OvGr7G3kFtW7_2buB1ho; ### Max-Age=3600; Expires=Thu, 06 Jun 2019 10:12:13

I had my .opendistro_security index (actually, all my indices) locked-down from writes due to triggering from cluster.routing.allocation.disk.watermark.flood_stage setting. In layman terms, disk space full triggering a write lock on indices.

More info on this automatic setting here: https://www.elastic.co/guide/en/elasticsearch/reference/current/disk-allocator.html

This is a last resort to prevent nodes from running out of disk space. The index block must be released manually once there is enough disk space available to allow indexing operations to continue.

Blunder aside, I found out even the admin user has no rights to unlock that index due to lack of permissions.

If securityadmin.sh is the only one that can write to that index, there seems to be a lack of support in the tool to manually unlock that index under the automatic-disk-space-triggered-lock-down circumstance.

In dev console, under admin user:
PUT /.opendistro_security/_settings { "index.blocks.read_only_allow_delete": null }
...results in:
{ "error": { "root_cause": [ { "type": "security_exception", "reason": "no permissions for [] and User [name=admin, roles=[admin], requestedTenant=]" } ], "type": "security_exception", "reason": "no permissions for [] and User [name=admin, roles=[admin], requestedTenant=]" }, "status": 403 }
And in Elasticsearch logs:
[2019-07-31T13:36:51,360][WARN ][c.a.o.s.p.OpenDistroSecurityIndexAccessEvaluator] [node-id] indices:admin/settings/update for '.opendistro_security' index is not allowed for a regular user

ES cluster failed and was restarted. After ES cluster was restored (green), kibana said "Tenant indicies migration failed". After kibana was restarted - now it says "Setting up index template" for
plugin:[email protected]
ES indices are all green

opendistroforelasticsearch-kibana.x86_64 0:0.8.0-1

As first opened in the forums here, there seems to be an issue when Kibana is placed behind a reverse-proxy providing HTTPS access to the kibana web-ui.

We're greeted with the following text when visiting the UI:

If we reload the page, the text eventually disappears and we're able to access the login page.

Does OpenDistro support multitenancy?

I see this in my config.yml:
# Kibana multitenancy -
# see <TBD>
# To make this work you need to install <TBD>

When I log into Opendistro Kibana, with the standard kibanaro user, or another self-created user that has no access to security config, the security icon is still visible, and when clicked on, the security config screen is partially renderred (just the authentication and authorization icon)

When you click on the remaining icon, it doesn't actually let you view anything, but redirects to the login page...

Shouldn't this be hidden completely for users that don't have access.

It confuses users, and doesn't look very nice when you do get in it.

I think in the past when I played with SearchGuard, the security config wasn't visible at all if one didn't have access to it?

(This happens with any version of opendistro from 0.8.0 to 1.1.0)

Currently, there is no way user can copy/move dashboard or visualization object from one tenant to another tenant.

Use-cases:

1. If user is belongs to multiple tenant and if he created dashboard or visualization into one tenant and wants to copy or move to other tenant.
2. Migrating or installing security plugin on existing production cluster: If admin or user with restore permission, restored snapshot of kibana index (which was created without Security plugin), and want to copy/move dashboards to different tenant based on their access model

We should provide a button on kibana plugin for copy/move from one tenant to another tenant. This feature may requires changes to back-end plugin too.

Hello, I'm using Opendistro 1.0 (for Kibana 7.0.1).
I've noticed there's a reserved role called kibana_read_only, which is empty (it doesn't make any sense).

I tried using kibana_user one, but I've noticed that cloning it and assigning an user to it doesn't work (it only works with the original role).
But in doing so, I can't modify it to remove permissions (and obtain a true read_only role).

Can anyone help?

Regards.

Hello,

We are deploying OpenDistro using LDAP and tenants, various LDAP users are able to use various tenants however switching between tenants on the fly isn't very pleasing today. Can we add a drop down tenant switcher next to the user's logout button in the top right of the Kibana window to easily allow users to switch tenants?

I think this would be a welcomed feature for many deployments along with the ability for user's to select a default tenant.

Best Regards,

Rob

Look forward to seeing some features on password policy enforcement…for example, the password complexity, repeat, etc. enforcement…

log [11:28:22.848] [info][status][plugin:[email protected]] Status changed from yellow to green - Ready
log [11:28:22.849] [info][status][plugin:[email protected]] Status changed from yellow to green - Ready
log [11:28:22.852] [info][status][plugin:[email protected]] Status changed from yellow to green - Ready
log [11:28:22.858] [info][status][plugin:[email protected]] Status changed from yellow to green - Ready
log [11:28:22.863] [info][status][plugin:[email protected]] Status changed from yellow to green - Ready
log [11:28:22.885] [error][status][plugin:[email protected]] Status changed from yellow to red - Cannot destructure property callWithInternalUser of 'undefined' or 'null'.

Symptoms:

• When you click on any button (dashboard/visualization/select) on tenant page the application show this error on browser's debug console:

vendors.bundle.dll.js:316 Error: Nav link for id = timelion not found
    at Object.chrome.getNavLinkById (commons.bundle.js:1)
    at security-multitenancy.bundle.js:1
    at processQueue (vendors.bundle.dll.js:316)
    at vendors.bundle.dll.js:316
    at Scope.$digest (vendors.bundle.dll.js:316)
    at Scope.$apply (vendors.bundle.dll.js:316)
    at done (vendors.bundle.dll.js:316)
    at completeRequest (vendors.bundle.dll.js:316)
    at XMLHttpRequest.requestLoaded (vendors.bundle.dll.js:316) "Possibly unhandled rejection: {}"

How to reproduce:

• Disable the timelion plugin on kibana.yml (timelion.enabled: false)

Versions:

• Tested on 0.9.0.0

Comments:
This error happens on file public/apps/multitenancy/multitenancy.js at line 209 on master branch

chrome.getNavLinkById("timelion").lastSubUrl = chrome.getNavLinkById("timelion").url;

Proposed solution:
This error can be avoided checking if plugin is enabled before use it, changing the line above to:

if(chrome.getInjected("timelion.ui.enabled")) {
    chrome.getNavLinkById("timelion").lastSubUrl = chrome.getNavLinkById("timelion").url;
}

Symptoms:

1. user successfully logs in using jwt access token. Token based user, roles all OK
2. access token refreshed on a 10 minute basis
3. new access token delivered to kibana, usually kibana responds without an issue.

However, sometimes:
4-a) kibana responds with 302 /kibana/customerror?type=sessionExpired#?_g=()
4-b) I can test the token delivered in step 3 with elastic and it authenticates fine.

5. clearing all cookies, starting in incognito session, trying in different browser, all produce same 302 error

Workaround:

Only restarting kibana seems to work. :-(
After restarting only kibana, and using same token, authentication works.

Comments:

Suspect, but can't validate that kibana server is somehow maintaining state associated with token or it's cookie ?

kibana log in verbose mode

kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:11Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}
kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-proxy"],"pid":1,"message":"Event is being forwarded: connection"}
kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-service"],"pid":1,"message":"Request will be handled by proxy POST:/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true."}
kibana-service       | {"type":"response","@timestamp":"2019-06-04T22:24:13Z","tags":[],"pid":1,"method":"post","statusCode":302,"req":{"url":"/elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true","method":"post","headers":{"connection":"upgrade","host":"localhost","content-length":"1383","accept":"application/json, text/plain, */*","origin":"http://localhost","kbn-version":"6.7.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","dnt":"1","content-type":"application/x-ndjson","referer":"http://localhost/kibana/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","securitytenant":"__user__"},"remoteAddress":"172.19.0.11","userAgent":"172.19.0.11","referer":"http://localhost/kibana/app/kibana"},"res":{"statusCode":302,"responseTime":8,"contentLength":9},"message":"POST /elasticsearch/_msearch?rest_total_hits_as_int=true&ignore_throttled=true 302 8ms - 9.0B"}
kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-proxy"],"pid":1,"message":"Event is being forwarded: connection"}
kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["debug","legacy-service"],"pid":1,"message":"Request will be handled by proxy GET:/customerror?type=sessionExpired."}
kibana-service       | {"type":"response","@timestamp":"2019-06-04T22:24:13Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/customerror?type=sessionExpired","method":"get","headers":{"connection":"upgrade","host":"localhost","accept":"application/json, text/plain, */*","kbn-version":"6.7.1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","dnt":"1","referer":"http://localhost/kibana/app/kibana","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"172.19.0.11","userAgent":"172.19.0.11","referer":"http://localhost/kibana/app/kibana"},"res":{"statusCode":200,"responseTime":8,"contentLength":9},"message":"GET /customerror?type=sessionExpired 200 8ms - 9.0B"}
kibana-service       | {"type":"log","@timestamp":"2019-06-04T22:24:13Z","tags":["plugin","debug"],"pid":1,"message":"Checking Elasticsearch version"}

Downloading: https://repo.maven.apache.org/maven2/com/amazon/opendistroforelasticsearch/opendistro_security_parent/0.7.0.1/opendistro_security_parent-0.7.0.1.pom
[ERROR] The build could not read 1 project -> [Help 1]
[ERROR]
[ERROR] The project com.amazon.opendistroforelasticsearch:opendistro_security_kibana_plugin:0.7.0.1 (/usr/local/kibana/plugins/security-kibana-plugin/pom.xml) has 1 error
[ERROR] Non-resolvable parent POM: Could not find artifact com.amazon.opendistroforelasticsearch:opendistro_security_parent:pom:0.7.0.1 in central (https://repo.maven.apache.org/maven2) and 'parent.relativePath' points at wrong local POM @ line 27, column 11 -> [Help 2]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/ProjectBuildingException
[ERROR] [Help 2] http://cwiki.apache.org/confluence/display/MAVEN/UnresolvableModelException
/usr/share/maven/bin/mvn clean deploy -Prelease failed

Originally reported in opendistro/for-elasticsearch-docs#6:

Using the sample docker-compose.yml (https://opendistro.github.io/for-elasticsearch-docs/docs/install/docker/).

then run:
docker-compose up
Able to login to Kibana and everything works fine.

then:
docker-compose stop
docker-compose start

Able to login to Kibana but see error:
Kibana status is Yellow
plugin:[email protected] Tenant indices migration failed

Unable to do anything in Kibana. Any help would be appreciated.

i haven't figured out whether this is the right module that handles the OpenID Connect code - it doesn't seem like so please let me know if I should go to another module instead. Since I can't get SAML to work, I am trying OIDC and I get a self-signed cert error when I use OIDC. I already put the CA cert in

config:
pemtrustedcas_filepath: /path/to/trusted_cas.pem

as well.

Error from the log:

,"tags":["error","openid"],"pid":XXXXX,"level":"error","error":{"message":"Client request error: self signed certificate","name":"Error","stack":"Error: self signed certificate\n at TLSSocket. (_tls_wrap.js:1116:38)\n at emitNone (events.js:106:13)\n at TLSSocket.emit (events.js:208:7)\n at TLSSocket._finishInit (_tls_wrap.js:643:8)\n at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:473:38)","code":"DEPTH_ZERO_SELF_SIGNED_CERT"},"message":"Client request error: self signed certificate"

I'm using opendistro 1.2.0

After switching tenant, the first time I navigate to dashboard tab what I see is a screen showing an empty new dashboard, ready to be created and saved.

But if I navigate again on dashboard tab, what I see is the list of available dashboards for this tenant, as expected.

This happens also with a user with a role of read_only. Which is even worse, since it is not allowed to create or edit dashboards. Indeed in this case the 'read only user' sees the same screen for creating/editing a dashboard, but without the buttons 'save', 'cancel' and 'add' on top left corner.

Why is this happing?

Is it possible to use the security-kibana-plugin with Elastic builds?