Kibana 401 unauthorized error

Ajay · August 3, 2021, 9:39am

Hello,

We have been struggling with 401 unauthorized error for openID integration (Keycloak as IdP) for Kibana with openDistro security plugin

The authentication integration works fine for the 1st time. But once we restart the kibana we are getting the 401 unauthorized error. To make kibana work we need to delete the .kibana index every time we restart kibana.

We also observed that the security_authentication cookies is not getting created after the kibana restart which could be the cause of the 401 unauthorized error.

Below are the configs we have used

kibana.yml

elasticsearch.username: "user"
elasticsearch.password: "pass"
elasticsearch.requestHeadersWhitelist: ["Authorization", "security_tenant"]
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://<keycloak_ip>/auth/realms/<realm_name>/.well-known/openid-configuration"
opendistro_security.openid.client_id: "client"
opendistro_security.openid.base_redirect_url: "http://<kibana>:5601"
opendistro_security.openid.root_ca: "<root_ca_certificate>"

Elasticsearch config.yml

    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            enable_ssl: true
            verify_hostnames: true
            openid_connect_url: https://<keycloak_ip>/auth/realms/<realm_name>/.well-known/openid-configuration
        authentication_backend:
          type: noop
	  basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: internal

Anthony · August 3, 2021, 10:44am

@Ajay
Is the configuration you provided complete or there are parts excluded, like openid.client_secret?

Also, can you confirm which odfe version you are using?

Ajay · August 3, 2021, 11:14am

@Anthony Thanks for reply
This is the complete configuration & as the keycloak client has a public access type so client_ secret is not set.

The ODFE version is 1.13.1.0

Ajay · August 5, 2021, 3:57am

Update 05/08/2021

We tried integrating with Azure AD trial account & we are seeing the same behavior that after the restart of kibana getting 401 unauthorized.

Here in this integration we have included openid.client_secret in the kibana config.

Anthony · August 5, 2021, 10:40am

@Ajay
I managed to reproduce your error, looking into it now

Anthony · August 6, 2021, 3:20pm

@Ajay Still looking into this, My local testing seems to indicate that the issue was introduced in 1.13.1, but was working fine in 1.13.0, as a temporary workaround have you tried 1.13.0?

Ajay · August 6, 2021, 4:35pm

@Anthony As a workaround we had downgraded the setup version to see if it works for older version.
Elasticsearch : 7.10.0
Kibana : 7.10.0
Opendistro : 1.12.0.0
But facing the same issue of 401 unauthorized after kibana restart.

We have not tried the ODFE 1.13.0 will check on that.

Ajay · August 9, 2021, 7:56am

@Anthony Can you please provide the link for kibana_security_plugin-1.13.0.0. We are getting access denied when trying to download by changing the version number in plugin install URL.
We are able to install Opendistro_security_plugin for elasticsearch-1.13.0.0.

PS: We are having doubt about this working as it is not working for opendistro 1.12.0.0

Anthony · August 9, 2021, 8:26am

@Ajay elasticsearch plugin: https://d3g5vo6xdbdb9a.cloudfront.net/downloads/elasticsearch-plugins/opendistro-security/opendistro-security-1.13.0.0.zip

kibana plugin:
https://d3g5vo6xdbdb9a.cloudfront.net/downloads/kibana-plugins/opendistro-security/opendistroSecurityKibana-1.13.0.1.zip

However I have tested using docker-compose, with simply changing the images to:

amazon/opendistro-for-elasticsearch:1.13.0
amazon/opendistro-for-elasticsearch-kibana:1.13.0

I can also confirm using this testing environment 1.12.0 has the issue, but 1.13.0 doesn’t.

Ajay · August 9, 2021, 10:30am

@Anthony Thanks for the response by changing the opendistro security to 1.13.0 resolved the issue.

Anthony · August 9, 2021, 7:45pm

@Ajay Could you submit a bug report for this using below link to bring awareness to the dev team:

gehf · July 12, 2022, 2:19pm

I meet the same issue, first time is fine, but got the error message after restart:
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

the opensearch version is 2.1

gehf · July 19, 2022, 5:50am

I find the issue same as:
https://github.com/opensearch-project/security-dashboards-plugin/issues/744