Disable Access of Kibana Server Status API [api/status]

Abb · October 26, 2021, 6:52am

We have ElasticSearch Setup, and noticed that URL/api/status is being accessed publicly without being authenticated and this is sitting behind the load balancer.

However URL/api or URL/status throws unauthorised message as below

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

Do we need to have extra setting to disable public access on /api/status

pablo · October 26, 2021, 9:51am

@Abb

Do you mean https://localhost:9200/api/status ?

If so, what response do you get?

Abb · October 26, 2021, 10:19am

@pablo

Yes, but its not localhost:9200, rather it on the Production.

https://someProdURL/api/status gives me the complete JSON-formatted server status details in response as mentioned here :
Access Kibana | Kibana Guide [8.4] | Elastic

But https://someProdURL/api or https://someProdURL/status returns {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

We tried these below settings in kibana.yml but still no luck

server.xsrf.disableProtection: false
status.allowAnonymous: false
opendistro_security.auth.anonymous_auth_enabled: false

oscark · October 26, 2021, 10:45am

My original issue for opendistro:
https://github.com/opensearch-project/security-dashboards-plugin/issues/579

github.com

opensearch-project/security-dashboards-plugin/blob/a8f8d5bd00957711c3a8b26dd02a1db52314b763/server/index.ts#L73


      
                  !['', 'basicauth', 'jwt', 'openid', 'saml', 'proxy', 'kerberos', 'proxycache'].includes(
                    value
                  )
                ) {
                  return `allowed auth.type are ['', 'basicauth', 'jwt', 'openid', 'saml', 'proxy', 'kerberos', 'proxycache']`;
                }
              },
            }),
            anonymous_auth_enabled: schema.boolean({ defaultValue: false }),
            unauthenticated_routes: schema.arrayOf(schema.string(), {
              defaultValue: ['/api/status', '/api/reporting/stats'],
            }),
            forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
            logout_url: schema.string({ defaultValue: '' }),
          }),
          basicauth: schema.object({
            enabled: schema.boolean({ defaultValue: true }),
            unauthenticated_routes: schema.arrayOf(schema.string(), { defaultValue: ['/api/status'] }),
            forbidden_usernames: schema.arrayOf(schema.string(), { defaultValue: [] }),
            header_trumps_session: schema.boolean({ defaultValue: false }),
            alternative_login: schema.object({

I have not updated to opensearch yet but I think the solution is to set auth.unauthenticated_routes: [] in opensearch dashboard configuration.

Abb · October 26, 2021, 10:52am

@oscark auth.unauthenticated_routes: [] is this setting to be used in kibana.yml? and does opendistro support it?

pablo · October 26, 2021, 11:27am

@Abb

Try opensearch_security.auth.unauthenticated_routes: []

Abb · October 26, 2021, 12:27pm

@pablo @oscark I tried the above setting… Still able to access the api

pablo · October 26, 2021, 12:45pm

@Abb

Could you send your config?

This worked for me.
opensearch_security.auth.unauthenticated_routes: []

This option has to go with empty brackets.

oscark · October 26, 2021, 2:09pm

So I think that opensearch should be (as Pablo wrote): opensearch_security.auth.unauthenticated_routes: []
And opendistro should use:
opendistro_security.auth.unauthenticated_routes: []

Abb · October 27, 2021, 10:38am

@oscark @pablo

Using opendistro_security.auth.unauthenticated_routes: [] did work for me but now the kubernetes kibana Deployment fails as readiness probe in kibana-deployment.yml file uses /api/status/ to check kibana pod readiness.

        readinessProbe:
          httpGet:
            path: /api/status
            port: http
            scheme: HTTPS
          initialDelaySeconds: 60
          periodSeconds: 30

Here are Logs of Kibana:

"method":"get","statusCode":401,"req":{"url":"/api/status","method":"get","headers":{"host":"10.xxx.x.xxx:5601","user-agent":"kube-pro │
│ be/1.19","accept-encoding":"gzip","connection":"close"},"remoteAddress":"10.xxx.x.xxx","userAgent":"kube-probe/1.19"},"res":{"statusCode":401,"responseTime":10,"contentLength":9},"message":"GET /api/status 401 10 │
│ ms - 9.0B"}

Do we have any reason Opendistro has bydefault open api/status endpoint not /api or /status,what is the intention behind keeping only api/status open and not others?

However was curious to explore on the response that we received from /api/status/ is it ok to expose to public users?

Topic		Replies	Views
Оpendistro-security with ELK (basic license) Open Source Elasticsearch and Kibana	2	1047	March 26, 2021
Kibana Doesnt work if security is disabled Security	3	2486	January 21, 2021
Want to disable authentication for ES and Kibana Security	4	1259	August 16, 2021
Authentication and Authorization 404 error - page not loading Security	7	2537	March 10, 2021
Unable to login to Opendistro kibana with the default admin credentials for the first time Open Source Elasticsearch and Kibana	2	434	October 19, 2021

Disable Access of Kibana Server Status API [api/status]

Related Topics