Kibana reporting does not work when using anonymous_user to generate reports

[PereBal]

Kibana version:
7.8.0, first detected in 7.6.2

Elasticsearch version:
7.8.0, first detected in 7.6.2

Server OS version:
Linux deathstar 4.15.0-101-generic #102-Ubuntu SMP Mon May 11 10:07:26 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Browser version:
Mozilla Firefox 77.0.1

Original install method (e.g. download page, yum, from source, etc.):
Docker compose:

• docker.elastic.co/kibana/kibana:7.8.0
• docker.elastic.co/elasticsearch/elasticsearch:7.8.0

Describe the bug:
When elasticsearch xpack.security is enabled with anonymous user (aka, unauthenticated) having superuser role and kibana xpack.security is disabled, kibana reporting fails all requests with unauthorized.

Steps to reproduce:

1. Run the following commands to spawn a functional kibana-es with the appropriate configuration over docker compose.

$ cat << EOF > docker-compose.yml
version: '3.7'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    container_name: elasticsearch1
    environment:
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=false
      - xpack.security.authc.anonymous.username=anonymous_user
      - xpack.security.authc.anonymous.roles=superuser
      - xpack.security.authc.anonymous.authz_exception=true

      - ELASTIC_PASSWORD=demo
      - node.name=elasticsearch1
      - cluster.name=docker-cluster
      - discovery.type=single-node
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms256M -Xmx256M"
      - http.cors.enabled=true
      - http.cors.allow-origin=*
      - network.host=0.0.0.0
    ulimits:
      nproc: 65535
      memlock:
        soft: -1
        hard: -1
    deploy:
      replicas: 1
      update_config:
        parallelism: 1
        delay: 10s
      resources:
        limits:
          cpus: '1'
          memory: 256M
        reservations:
          cpus: '1'
          memory: 256M
      restart_policy:
        condition: on-failure
        delay: 5s
        max_attempts: 3
        window: 10s
    volumes:
      - type: volume
        source: logs
        target: /var/log
      - type: volume
        source: esdata1
        target: /usr/share/elasticsearch/data
    ports:
      - 9200:9200
      - 9300:9300

  kibana:
    image: docker.elastic.co/kibana/kibana:7.8.0
    container_name: kibana
    environment:
      XPACK_SECURITY_ENABLED: "false"
      # This setting is added to ensure no auth is being sent to ES and we trigger the anonymous
      # user case
      ELASTICSEARCH_REQUESTHEADERSWHITELIST: "kibana-user"

      ELASTICSEARCH_HOSTS: http://elasticsearch1:9200/
      LOGGING_VERBOSE: "true"
      ELASTICSEARCH_LOGQUERIES: "true"
    ports:
      - 5601:5601
    volumes:
      - type: volume
        source: logs
        target: /var/log
    ulimits:
      nproc: 65535
      memlock:
        soft: -1
        hard: -1
    deploy:
      replicas: 1
      update_config:
        parallelism: 1
        delay: 10s
      resources:
        limits:
          cpus: '1'
          memory: 512M
        reservations:
          cpus: '1'
          memory: 512M
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 3
        window: 120s
volumes:
  esdata1:
  logs:
EOF

$ sysctl -w vm.max_map_count=262144
$ docker-compose up

2. Once kibana is ready, go to http://127.0.0.1:5601/app/kibana
3. Add some data
4. Go to http://127.0.0.1:5601/app/kibana#/discover
5. Save the current search
6. Hit Share > Generate CSV
7. An error should pop up in the bottom right corner of your screen saying Reporting error Unauthorized

Expected behavior:
Kibana reporting works with the aforthmentioned configuration.

Errors in browser console (if relevant):
Nothing

Provide logs and/or server output (if relevant):

{ "@timestamp": "2020-06-19T08:06:15Z", "message": "Requesting Elasticsearch licensing API", "pid": 7, "tags": [ "debug", "plugins", "licensing" ], "type": "log" }
{ "@timestamp": "2020-06-19T08:06:16Z", "message": "200\nGET /_xpack\n", "pid": 7, "tags": [ "debug", "elasticsearch", "data", "query" ], "type": "log" }
{ "@timestamp": "2020-06-19T08:06:15Z", "message": "POST /api/reporting/generate/csv?jobParams 401 60ms - 9.0B", "method": "post", "pid": 7, "req": { "headers": { "accept": "*/*", "accept-encoding": "gzip, deflate", "accept-language": "en-US,en;q=0.5", "connection": "keep-alive", "content-length": "1006", "content-type": "application/json", "dnt": "1", "host": "127.0.0.1:5601", "kbn-version": "7.8.0", "origin": "http://127.0.0.1:5601", "referer": "http://127.0.0.1:5601/app/kibana", "user-agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0" }, "method": "post", "referer": "http://127.0.0.1:5601/app/kibana", "remoteAddress": "172.25.0.1", "url": "/api/reporting/generate/csv?jobParams", "userAgent": "172.25.0.1" }, "res": { "contentLength": 9, "responseTime": 60, "statusCode": 401 }, "statusCode": 401, "tags": [ "api" ], "type": "response" }
{ "@timestamp": "2020-06-19T08:06:16Z", "message": "200\nPOST /.reporting-*/_search\n{\"seq_no_primary_term\":true,\"_source\":{\"excludes\":[\"output.content\"]},\"query\":{\"bool\":{\"filter\":{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"term\":{\"status\":\"pending\"}},{\"bool\":{\"must\":[{\"term\":{\"status\":\"processing\"}},{\"range\":{\"process_expiration\":{\"lte\":\"2020-06-19T08:06:16.123Z\"}}}]}}]}}}},\"sort\":[{\"priority\":{\"order\":\"asc\"}},{\"created_at\":{\"order\":\"asc\"}}],\"size\":1}", "pid": 7, "tags": [ "debug", "elasticsearch", "data", "query" ], "type": "log" }

[elasticmachine]

Pinging @elastic/kibana-reporting-services (Team:Reporting Services)

[PereBal]

Heya folks I imagine you are super busy working on more important things but this issue is causing some trouble on our end. Do you happen to know/think of any workarounds?

[yjwong]

I did a bit of deep dive into the Kibana source as I also encountered this problem.

The access control check is done using a Hapi pre-routing rule here:

kibana/x-pack/legacy/plugins/reporting/server/routes/lib/authorized_user_pre_routing.ts

Lines 21 to 25 in 5db9c67

	export const authorizedUserPreRoutingFactory = function authorizedUserPreRoutingFn(
	config: ReportingConfig,
	plugins: ReportingSetupDeps,
	logger: Logger
	) {

However, it seems that security.isEnabled() and security.isAvailable() always returns true, even if xpack.security.enabled: false is set in kibana.yml.

From what I read, Kibana derives this setting from the Elasticsearch cluster.

[yjwong]

I have verified that this value is derived from Elasticsearch; when xpack.security.enabled is set to false on Elasticsearch, generating CSVs work.

While this workaround works, since we use ECK, it's not recommended: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-reserved-settings.html

It seems like the access control check may be overly eager in this case.

[tsullivan]

By design, reporting checks the auth of the logged in user to ensure they have a role called superuser and/or a role called reporting_user.

Using that design, administrators can turn on and off reporting for specific users, which is our expectation of secure software.

If this feature was implemented, would there be a way to turn it off? Using the existing config options, I don't see how it would be possible.

It's hard to make a call here. If you depend on security, then access control checks should be expected.

[tsullivan]

cc @elastic/kibana-security

[Sakorah]

I'm running into this issue as well with 7.7.1. Setting xpack.security.enabled to false in Elasticsearch is no option as this disables SSL as well. I cannot reproduce the issue with 7.9.2.

[elasticmachine]

Pinging @elastic/kibana-app-services (Team:AppServices)

[manavkapoor]

Any update on this issue? Running into the same problem.

[azasypkin]

Any update on this issue? Running into the same problem.

If you're using Kibana 7.11+, would you mind trying with Kibana "native" anonymous access instead? With this you don't need to disable security in Kibana and you also don't have to enable anonymous access in Elasticsearch directly if you don't need it.

[tsullivan]

Hi all, this issue will be resolved in 7.14. This PR #94966 provides the change needed to set up anonymous access to work with Kibana Reporting.

1. Create a custom role that provides Kibana app privileges for Reporting:

   curl 'http://elastic:changeme@localhost:5601/bni/api/security/role/test_reporting_user' \
      -X 'PUT' \
      -H 'kbn-version: 7.14.0' \
      --data-raw '{"elasticsearch":{"cluster":[],"indices":[],"run_as":[]},"kibana":[{"spaces":["*"],"base":[],"feature":{"discover":["minimal_read","generate_report"],"dashboard":["minimal_read","generate_report","download_csv_report"],"canvas":["read"],"maps":["read"],"visualize":["minimal_read","generate_report"],"graph":["read"]}}]}'
   

2. Create a user that is assigned the role:

   curl 'http://elastic:changeme@localhost:5601/bni/internal/security/users/reportron' \
     -H 'kbn-version: 7.14.0' \
     --data-raw '{"username":"reportron","roles":["data_user","test_reporting_user"],"full_name":"Reportron I. User","email":"[email protected]","metadata":{},"enabled":true}'
   

3. Configure Reporting to use feature controls, and Kibana to use anonymous access in kibana.yml:

   xpack.reporting.roles.enabled: false # this is to switch Reporting to use Kibana feature controls instead of ES roles
   xpack.security.authc.providers:
     anonymous.anonymous1:
       order: 0
       credentials:
         username: "reportron"
         password: "changeme"
   

You can also use an API key instead of entering a username and password in the YML file.

The documentation of "Reporting and Security" will be updated for 7.14: https://www.elastic.co/guide/en/kibana/7.x/secure-reporting.html#secure-reporting

Closing this issue as it is resolved by #94966