Kibana Canvas plugin doesn't works with SearchGuard

Question

I have installed ELK stack with version 6.3.0 and I also install Canvas plugin in Kibana. But it seems does not works because there is authentication issues when Canvas create request to Elasticsearch. I am uses SearchGuard for authentication instead of X-Pack security.

Below is my installation details:

1. Elasticsearch
    Version: 6.3.0
    Plugins: - search-guard-6

2. Kibana
    Version: 6.3.0
    Plugins: - canvas@0.1.2015
             - searchguard@6.3.0-13

And here is kibana log output:

common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{\"_source\":[],\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"-_index:.kibana\"}}]}},\"size\":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm=\"Search Guard\""}
    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  status: 401,
  displayName: 'AuthenticationException',
  message: 'Authentication Exception',
  path: '/memberbebe/_search',
  query: {},
  body: 'Unauthorized',
  statusCode: 401,
  response: 'Unauthorized',
  wwwAuthenticateDirective: 'Basic realm="Search Guard"',
  toString: [Function],
  toJSON: [Function],
  isBoom: true,
  isServer: false,
  data: null,
  output: 
   { statusCode: 401,
     payload: 
      { statusCode: 401,
        error: 'Unauthorized',
        message: 'Authentication Exception' },
     headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
  reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{\"_source\":[],\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"-_index:.kibana\"}}]}},\"size\":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm=\"Search Guard\""}
    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  status: 401,
  displayName: 'AuthenticationException',
  message: 'Authentication Exception',
  path: '/memberbebe/_search',
  query: {},
  body: 'Unauthorized',
  statusCode: 401,
  response: 'Unauthorized',
  wwwAuthenticateDirective: 'Basic realm="Search Guard"',
  toString: [Function],
  toJSON: [Function],
  isBoom: true,
  isServer: false,
  data: null,
  output: 
   { statusCode: 401,
     payload: 
      { statusCode: 401,
        error: 'Unauthorized',
        message: 'Authentication Exception' },
     headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
  reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{\"_source\":[],\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"-_index:.kibana\"}}]}},\"size\":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm=\"Search Guard\""}
    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  status: 401,
  displayName: 'AuthenticationException',
  message: 'Authentication Exception',
  path: '/memberbebe/_search',
  query: {},
  body: 'Unauthorized',
  statusCode: 401,
  response: 'Unauthorized',
  wwwAuthenticateDirective: 'Basic realm="Search Guard"',
  toString: [Function],
  toJSON: [Function],
  isBoom: true,
  isServer: false,
  data: null,
  output: 
   { statusCode: 401,
     payload: 
      { statusCode: 401,
        error: 'Unauthorized',
        message: 'Authentication Exception' },
     headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
  reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{\"_source\":[],\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"-_index:.kibana\"}}]}},\"size\":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm=\"Search Guard\""}
    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  status: 401,
  displayName: 'AuthenticationException',
  message: 'Authentication Exception',
  path: '/memberbebe/_search',
  query: {},
  body: 'Unauthorized',
  statusCode: 401,
  response: 'Unauthorized',
  wwwAuthenticateDirective: 'Basic realm="Search Guard"',
  toString: [Function],
  toJSON: [Function],
  isBoom: true,
  isServer: false,
  data: null,
  output: 
   { statusCode: 401,
     payload: 
      { statusCode: 401,
        error: 'Unauthorized',
        message: 'Authentication Exception' },
     headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
  reformat: [Function] }
common/interpret esdocs: invokeChain rejected { Authentication Exception :: {"path":"/memberbebe/_search","query":{},"body":"{\"_source\":[],\"query\":{\"bool\":{\"must\":[{\"query_string\":{\"query\":\"-_index:.kibana\"}}]}},\"size\":100}","statusCode":401,"response":"Unauthorized","wwwAuthenticateDirective":"Basic realm=\"Search Guard\""}
    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:307:15)
    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:266:7)
    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:159:7)
    at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
    at emitNone (events.js:111:20)
    at IncomingMessage.emit (events.js:208:7)
    at endReadableNT (_stream_readable.js:1064:12)
    at _combinedTickCallback (internal/process/next_tick.js:138:11)
    at process._tickDomainCallback (internal/process/next_tick.js:218:9)
  status: 401,
  displayName: 'AuthenticationException',
  message: 'Authentication Exception',
  path: '/memberbebe/_search',
  query: {},
  body: 'Unauthorized',
  statusCode: 401,
  response: 'Unauthorized',
  wwwAuthenticateDirective: 'Basic realm="Search Guard"',
  toString: [Function],
  toJSON: [Function],
  isBoom: true,
  isServer: false,
  data: null,
  output: 
   { statusCode: 401,
     payload: 
      { statusCode: 401,
        error: 'Unauthorized',
        message: 'Authentication Exception' },
     headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },
  reformat: [Function] }

How I can solve this issue? Any suggestions?

Thank you

score 0 · Answer 1 · answered Jul 05 '18 at 09:51

Finally, I found temporary solution for this issue by myself.

I am editing file /plugins/canvas/server/routes/socket.js in line 37:

if (server.plugins.security) request.headers.authorization = authHeader;

to:

request.headers.authorization = "Basic <HASHED_USER_PASS>";

The is SearchGuard Username:SearchGuard Password encoded with Base64.

I know that my solution maybe not the best solution and need to be improved but I hope it can help other users with the same issue.

Thanks.

Kibana Canvas plugin doesn't works with SearchGuard

1 Answers1