Kibana tabs not loading (Open Distro Security not initialized)

ibtehajn · August 10, 2021, 2:59pm

Hi,

I am running an AWS Elasticsearch and Kibana instance (version 7.10) using SAML authentication. I want to set up a read-only user group. When I log in with such a user, I can see that the user is correctly assigned the following roles:

However, the navigation bar does not show any links except Dashboard. When I try to paste a link to the Discover tab I get the following error:

No application was found at this URL. Try going back or choosing an app from the menu.

Looking at the logs that the AWS service makes available, I can see the following. Not 100% sure that this is related, but it seems suspicious:

{settings_filter=opendistro_security.audit.config.webhook.ssl.pemtrustedcas_content,reindex.ssl.supported_protocols,opendistro_security.ssl.transport.enable_openssl_if_available,opendistro_security.unsupported.restore.securityindex.enabled,opendistro_security.audit.config.enable_ssl,opendistro_security.compliance.history.external_config_enabled,opendistro_security.unsupported.disable_rest_auth_initially,opendistro_security.unsupported.accept_invalid_config,opendistro_security.audit.config.enable_ssl_client_auth,opendistro_security.audit.config.webhook.ssl.pemtrustedcas_filepath,opendistro_security.allow_unsafe_democertificates,opendistro_security.roles_mapping_resolution,opendistro_security.audit.config.pemkey_filepath,reindex.ssl.truststore.password,opendistro_security.ssl.http.crl.check_only_end_entities,opendistro_security.*,opendistro_security.audit.config.pemtrustedcas_content,opendistro_security.ssl.transport.pemtrustedcas_filepath,opendistro_security.audit.config.username,opendistro_security.ssl.transport.keystore_filepath,opendistro_security.audit.config.log4j.logger_name,opendistro_security.ssl.http.keystore_type,opendistro_security.compliance.disable_anonymous_authentication,opendistro_security.ssl.http.enabled,opendistro_security.cache.ttl_minutes,opendistro_security.unsupported.allow_now_in_dls,opendistro_security.enable_snapshot_restore_privilege,opendistro_security.ssl.http.keystore_password,opendistro_security.ssl.http.crl.validation_date,opendistro_security.ssl.http.pemcert_filepath,reindex.ssl.keystore.key_password,opendistro_security.ssl.http.truststore_password,opendistro_security.audit.config.pemkey_content,opendistro_security.protected_indices.indices,opendistro_security.audit.config.verify_hostnames,reindex.ssl.truststore.type,opendistro_security.audit.enable_rest,opendistro_security.audit.config.password,opendistro_security.audit.config.pemkey_password,reindex.ssl.key_passphrase,opendistro_security.audit.resolve_bulk_requests,opendistro_security.check_snapshot_restore_write_privileges,opendistro_security.allow_default_init_securityindex,opendistro_security.audit.config.pemcert_content,opendistro_security.ssl.transport.pemkey_password,opendistro_security.config_index_name,opendistro_security.audit.config.cert_alias,opendistro_security.unsupported.inject_user.enabled,opendistro_security.audit.type,opendistro_security.ssl_only,opendistro_security.ssl.http.pemkey_password,opendistro_security.ssl.transport.keystore_alias,opendistro_security.protected_indices.roles,opendistro_security.ssl.transport.resolve_hostname,opendistro_security.ssl.http.crl.disable_crldp,opendistro_security.ssl.http.keystore_keypassword,reindex.ssl.truststore.path,opendistro_security.ssl.transport.truststore_alias,reindex.ssl.keystore.password,reindex.ssl.certificate_authorities,opendistro_security.ssl.http.keystore_alias,opendistro_security.audit.resolve_indices,opendistro_security.audit.config.webhook.format,opendistro_security.ssl.http.truststore_type,opendistro_security.ssl.http.enable_openssl_if_available,opendistro_security.cert.oid,opendistro_security.compliance.history.read.metadata_only,opendistro_security.compliance.history.write.log_diffs,opendistro_security.disable_envvar_replacement,opendistro_security.audit.config.pemtrustedcas_filepath,opendistro_security.ssl.http.keystore_filepath,opendistro_security.protected_indices.enabled,opendistro_security.kerberos.krb5_filepath,opendistro_security.ssl.transport.truststore_filepath,opendistro_security.filter_securityindex_from_all_requests,reindex.ssl.certificate,opendistro_security.ssl.http.truststore_filepath,opendistro_security.ssl.transport.keystore_password,reindex.ssl.verification_mode,opendistro_security.audit.enable_transport,opendistro_security.unsupported.load_static_resources,opendistro_security.compliance.history.write.metadata_only,opendistro_security.ssl.transport.enabled,opendistro_security.audit.log_request_body,opendistro_security.audit.config.type,opendistro_security.audit.config.webhook.url,opendistro_security.ssl.transport.keystore_type,opendistro_security.unsupported.restapi.allow_securityconfig_modification,opendistro_security.kerberos.acceptor_keytab_filepath,opendistro_security.audit.threadpool.max_queue_len,reindex.ssl.keystore.path,opendistro_security.unsupported.disable_intertransport_auth_initially,opendistro_security.ssl.transport.enforce_hostname_verification,opendistro_security.ssl.http.clientauth_mode,reindex.ssl.client_authentication,reindex.ssl.keystore.type,opendistro_security.ssl.http.truststore_alias,opendistro_security.ssl.http.crl.disable_ocsp,reindex.ssl.cipher_suites,opendistro_security.audit.config.index,opendistro_security.cert.intercluster_request_evaluator_class,opendistro_security.ssl.transport.principal_extractor_class,opendistro_security.disabled,opendistro_security.compliance.history.internal_config_enabled,opendistro_security.audit.config.webhook.ssl.verify,opendistro_security.audit.exclude_sensitive_headers,secret_key,opendistro_security.ssl.client.external_context_id,opendistro_security.system_indices.indices,opendistro_security.compliance.salt,opendistro_security.audit.config.log4j.level,opendistro_security.ssl_cert_reload_enabled,opendistro_security.kerberos.acceptor_principal,reindex.ssl.key,reindex.ssl.keystore.algorithm,opendistro_security.ssl.http.pemkey_filepath,opendistro_security.audit.threadpool.size,opendistro_security.ssl.transport.truststore_type,opendistro_security.ssl.http.pemtrustedcas_filepath,opendistro_security.ssl.transport.truststore_password,opendistro_security.unsupported.inject_user.admin.enabled,opendistro_security.restapi.password_validation_regex,opendistro_security.ssl.transport.extended_key_usage_enabled,opendistro_security.ssl.http.crl.validate,opendistro_security.ssl.http.crl.prefer_crlfile_over_ocsp,opendistro_security.ssl.http.crl.file_path,opendistro_security.system_indices.enabled,opendistro_security.background_init_if_securityindex_not_exist,access_key,opendistro_security.ssl.transport.pemcert_filepath,opendistro_security.advanced_modules_enabled,opendistro_security.audit.config.pemcert_filepath,opendistro_security.ssl.transport.keystore_keypassword,opendistro_security.ssl.transport.pemkey_filepath,opendistro_security.restapi.password_validation_error_message, filter_path=nodes.*.attributes.di_number}
org.elasticsearch.ElasticsearchSecurityException: Open Distro Security not initialized for __PATH__

Note that when I log in as an admin user with the security_manager and all_access roles everything works fine.

I may be missing some required roles or permissions. Any help appreciated!

Anthony · August 10, 2021, 4:42pm

@ibtehajn this is expected behaviour for kibana_read_only role. If you would like access to the rest of the features, but only as a read only user, you would need to create and map to a separate role, which gives read only permissions to the relevant indices, tenants etc.

something like this:

test_role:
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - 'read'
  tenant_permissions:
    - tenant_patterns:
      - '*'
      allowed_actions:
        - 'kibana_all_read'

Then map the user in question to this test_role and kibana_user

Hope this helps

ibtehajn · August 10, 2021, 5:25pm

@Anthony, thanks for the suggestion! I’ve made the suggested changes and it’s working again

I am pretty sure I used to use the exact same set of roles in Kibana 7.4 and it used to work fine. It would be worth documenting that the kibana_read_only role limits the user to viewing dashboards only. This is not obvious from the name.

Topic		Replies	Views
Authentication and Authorization 404 error - page not loading Security	7	2542	March 10, 2021
Kibana/Elasticsearch SAML Security	1	618	April 15, 2021
Issue when re-login with saml authentication Security	3	755	May 6, 2021
Missing Role on AWS kibana login Security	1	3087	April 30, 2021
Оpendistro-security with ELK (basic license) Open Source Elasticsearch and Kibana	2	1048	March 26, 2021

Kibana tabs not loading (Open Distro Security not initialized)

Related Topics