Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ingest Management] a user with the role kibana_admin cannot login #69903

Closed
kuisathaverat opened this issue Jun 25, 2020 · 6 comments
Closed

[Ingest Management] a user with the role kibana_admin cannot login #69903

kuisathaverat opened this issue Jun 25, 2020 · 6 comments
Assignees
@nchaulet
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@kuisathaverat
Copy link
Contributor

kuisathaverat commented Jun 25, 2020
edited
Loading

Kibana version:
8.0.0-SNAPSHOT
Elasticsearch version:
8.0.0-SNAPSHOT
Server OS version:
Linux #1 SMP Tue Sep 3 02:58:08 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux (SNAPSHOT Docker container)
Browser version:
Chrome 83
Browser OS version:
MacOS 10.15.5
Original install method (e.g. download page, yum, from source, etc.):
Helm chart
Describe the bug:

Users that are not superusers cannot login in Kibana. You can see a trace related to ingest management every time you try to login User not authorized for "/api/ingest_manager/check-permissions": responding with 404

Steps to reproduce:

  1. Enable ingest management and fleet in Kibana
  2. logout
  3. try to login with a user with Kibana_admin role
  4. Kibana return a 403 error
  5. you see the message User not authorized for "/api/ingest_manager/check-permissions": responding with 404 in logs

Expected behavior:

The user login into Kibana.

Screenshots (if relevant):

Errors in browser console (if relevant):

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Provide logs and/or server output (if relevant):

User not authorized for "/api/ingest_manager/check-permissions": responding with 404

Any additional context:

A Kibana without ingest management full configured using the same cluster can login as expected with the same user.

    xpack.ingestManager.enabled: true
    xpack.ingestManager.epm.enabled: true
    xpack.ingestManager.fleet.enabled: true
    xpack.ingestManager.epm.registryUrl: 'https://epr-staging.elastic.co'
@kuisathaverat kuisathaverat added the Team:Fleet Team label for Observability Data Collection Fleet team label Jun 25, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

@ruflin ruflin added the bug Fixes for quality problems that affect the customer experience label Jun 25, 2020
@ph
Copy link
Contributor

ph commented Jun 25, 2020

@ruflin I think we do require the super user on everything should we try to require the kibana_admin role?

@nchaulet
Copy link
Member

We require user to be superuser and Kibana_admin is not enough to use ingest manager right now, but I think you should see a screen that display that, I am going to investigate

@kuisathaverat
Copy link
Contributor Author

@ph the thing is that only superusers can login after enable ingest management, all the rest fail to login.

@nchaulet
Copy link
Member

Oh got it, I think we are doing some api calls in the ingest manager client side plugin start, that we should not do if the user do not have the right permission.

@nchaulet
Copy link
Member

This PR merged yesterday will fix that #69505

Just tested with a kibana_admin user

Screen Shot 2020-06-25 at 11 25 36 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nchaulet nchaulet

Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ph @ruflin @nchaulet @kuisathaverat @elasticmachine