Client-Cert-Login from Kibana to ES hides Kibana-User


I tried to setup client certificate authentication between kibana and elasticsearch (rpm based installation):

elasticsearch.ssl.verificationMode: full
elasticsearch.ssl.certificateAuthorities: /etc/kibana/root-ca.pem
elasticsearch.ssl.certificate: /etc/kibana/kibanaserver.crt
elasticsearch.ssl.key: /etc/kibana/kibanaserver.key
#elasticsearch.username: kibanaserver
#elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

Certificate is signed by root ca and accepted on elasticsearch. So connection is functional.

But when I login to kibana using my ldap user/password my user is hidden by the kibanaserver user. Kibana shows the “kibanaserver” as user and if I e.g. try a simple search via console I get an error

"no permissions for [indices:data/read/search] and User [name=kibanaserver, backend_roles=, requestedTenant=user]

So effectively the end user is hidden to elasticsearch and therefore all user specific permissions are not effective.

If I comment out the elasticsearch.ssl.certificate and key and comment in the user/password everything works as expected.

But for security reasons we do not want to have technical users with password.

In config.yml the follworing providers are activated:

  • basic_internal_auth_domain
  • clientcert_auth_domain
  • ldap

I suspect that the reason is that because of the client cert the basic auth user entry is completely ignored

Am I missing something or is this a bug?

Regards Michael

Hello @micha

Could you share your config.yml and full kibana.yml files? What version of ODFE are you running?

I just reactivated the cert-login in order to get the requested information and saw that this seems to work now.

Actually we use ODFE 1.13.2.
I’m not really sure which version was running a year ago but I think it was something about ODFE 1.3

I will leave the cert login active and check if this is really fixed.

Thanks so long

Regards Michael

1 Like

Great to hear it worked. Thanks for reply.