Kibana using SSL on the security-configuration page broken in OD 1.2.1 release using Debian

Open Source Elasticsearch and Kibana
1

I have clean installed opendistroforelasticsearch-kibana_1.2.1_amd64.deb on multiple “Ubuntu 16.04.4 LTS” host servers. All installations I am experiencing the same MAJOR BLOCKER.

After installing opendistroforelasticsearch-kibana (1.2.1), Unfortunately I am experiencing a blocker when opening the Kibana security-configuration page using the latest Chrome (v79.0.3945.79 - 64-bit) and Firefox (v71.0 - 64-bit) Browsers, reporting "Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘unsafe-eval’” in browser console and causing required missing icons to administrate ES.

image
image811×603 69.5 KB

Examination of the broken page source shows the error message “This Kibana installation has strict security requirements enabled that your current browser does not meet.” while the Browser console reports invalid 404 URLs

GET https://mobile.spartansense.com:5601/app/{{actionGroupsSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{tenantsSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{internalUserDatabaseSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{rolesSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{roleMappingsSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{purgeCacheSvgURL}} 404 (Not Found)
GET https://mobile.spartansense.com:5601/app/{{authenticationSvgURL}} 404 (Not Found)

All these issues with trying to configure ES using the Kibana configuration page makes OD 1.2.1 release unusable.
My kibana.yml is as follows

server.port: 5601
server.host: "mobile.spartansense.com"
server.name: "mobile.spartansense.com"
elasticsearch.hosts: ["https://help.spartansense.com:9200"]
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
elasticsearch.ssl.certificate: /etc/kibana/ssl/mobile.spartansense.com.crt
elasticsearch.ssl.key: /etc/kibana/ssl/mobile.spartansense.com.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ssl/mobile.spartansense.com.ca.crt" ]
elasticsearch.ssl.verificationMode: full
opendistro_security.allow_client_certificates: true
opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/ssl/mobile.spartansense.com.crt
server.ssl.key: /etc/kibana/ssl/mobile.spartansense.com.key
logging.dest: /var/log/kibana.log
csp.strict: true

I’m not sure if the issue is faulty browser detection, but I am using the latest Firefox and Chrome browsers, so not sure why its blocking me from using the configuration page with Content Security Policy errors.

image
image1049×362 53.7 KB

image
image1099×392 80.1 KB

image
image780×870 74 KB

Finally,

  • I am logged in as the default administrator account admin / admin, so I should have privileges to see the configuration page
  • I have the configuration opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”] in elasticsearch.yml on all my cluster nodes so I should be using the right user roles.

Any Help with workarounds would be much appreciated

2

Hey Imit,

Apologize for the trouble here. We will look into this and provide a response by tomorrow morning.

Thanks,
Pavani

3

Thank you for responding

CONFIDENTIALITY STATEMENT: This communication (and any and all information or material transmitted with this communication) is confidential, may be privileged and is intended only for the use of the intended recipient. If you are not the intended recipient,
any review, retransmission, circulation, distribution, reproduction, conversion to hard copy, copying or other use of this communication, information or material is strictly prohibited. If you received this communication in error or if it is forwarded to you
without the express authorization of Valor, please notify us immediately by telephone or by return email and permanently delete the communication, information and material from any computer, disk drive, diskette or other storage device or media. Thank you.

4

Was there a resolution to this?