kibana cannot connect to elasticsearch when searchguard is on with ArrayIndexOutOfBoundsException[0]

728 views
Skip to first unread message

Lingxiao Xia

unread,
Jun 7, 2015, 10:42:43 PM6/7/15
to search...@googlegroups.com
hello i'm sorry for asking so many questions but i couldn't get searchguard to work with kibana 4.0.2. and i couldn't figure out what's the problem...

btw, plain search against elasticsearch works and searchguard seems to be functioning as intended. it just stops working whenever kibana is involved...

kibana goes to the following error page as soon as i verify myself as user 'marketing' with role 'guest':

 Fatal Error

Error: unhandled error Error: ArrayIndexOutOfBoundsException[0]
    at respond (http://127.0.0.1:9548/index.js?_b=6004:81691:15)
    at checkRespForFailure (http://127.0.0.1:9548/index.js?_b=6004:81659:7)
    at http://127.0.0.1:9548/index.js?_b=6004:80322:7
    at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
    at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
    at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
    at http://127.0.0.1:9548/index.js?_b=6004:21030:76
    at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
    at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
    at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)
    at handleError (http://127.0.0.1:9548/index.js?_b=6004:42664:22)
    at DocRequest.AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14)
    at http://127.0.0.1:9548/index.js?_b=6004:42945:17
    at Array.forEach (native)
    at http://127.0.0.1:9548/index.js?_b=6004:42943:18
    at wrappedErrback (http://127.0.0.1:9548/index.js?_b=6004:20897:78)
    at http://127.0.0.1:9548/index.js?_b=6004:21030:76
    at Scope.$eval (http://127.0.0.1:9548/index.js?_b=6004:22017:28)
    at Scope.$digest (http://127.0.0.1:9548/index.js?_b=6004:21829:31)
    at Scope.$apply (http://127.0.0.1:9548/index.js?_b=6004:22121:24)

here's my search-guard setting and acl setting(i'm trying to apply minimum security just to get it work first, i want role 'admin' to be able to do everything and role 'guest' to have the field 'user' filtered out on all search responses):

#############################################################################################
#                                       SEARCH GUARD                                        #
#                                       Configuration                                       #
#############################################################################################

# Enable or disable the complete Searchguard plugin functionality
searchguard.enabled: false

# Path where to write/read the searchguard master key file
searchguard.key_path: /tmp/dldm/elasticsearchConfig

# When using DLS or FLS and a get or mget is performed then rewrite it as search request
searchguard.rewrite_get_as_search: true

# The index name where Searchguard will store its configuration and various other informations related to Searchguard itself
# This index can only be access from localhost
searchguard.config_index_name: searchguard

# Enable or disable HTTP session which caches the authentication and authorization informations in a cookie
searchguard.http.enable_sessions: false

# Enable or disable audit logging
searchguard.auditlog.enabled: true

# If this is true (default is false) then Searchguard will check if elasticsearch is running as root/windows admin and if so then abort.
searchguard.check_for_root: false

# If this is true (default is false) then allow all HTTP REST requests from nodes loopback (e.g. localhost)
searchguard.allow_all_from_loopback: true

#############################################################################################
# X-Forwarded-For (XFF) header                                                              #
#                                                                                           #
#############################################################################################
# X-Forwarded-For (XFF) header
# If you have a http proxy in front of elasticsearch you have to configure this options to handle XFF properly
searchguard.http.xforwardedfor.header: null
#searchguard.http.xforwardedfor.trustedproxies: null
#searchguard.http.xforwardedfor.enforce: false

#############################################################################################
# Authentication backend                                                                    #
#                                                                                           #
#############################################################################################
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.SettingsBasedAuthenticationBackend
searchguard.authentication.authentication_backend.cache.enable: true

#############################################################################################
# Authorization backend (authorizer)                                                        #
#                                                                                           #
#############################################################################################
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.authorizer.cache.enable: true

#############################################################################################
# HTTP authentication method                                                                #
#                                                                                           #
#############################################################################################
# Define HTTP authentication method. In future we will here have more like NTLM, SPNEGO/Kerberos and Digest.
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.basic.HTTPBasicAuthenticator

#####################################################
# Settings based authentication (define users and password directly here in the settings. Note: this is per node)
#searchguard.authentication.settingsdb.user.<username>: password
searchguard.authentication.settingsdb.user.root: ********
searchguard.authentication.settingsdb.user.kibana: ********
searchguard.authentication.settingsdb.user.marketing: ********

#####################################################
# Settings based authorization (define users and their roles directly here in the settings. Note: this is per node)
#searchguard.authentication.authorization.settingsdb.roles.<username>: <array of roles>
searchguard.authentication.authorization.settingsdb.roles.root: ["admin"]
searchguard.authentication.authorization.settingsdb.roles.kibana: ["guest"]
searchguard.authentication.authorization.settingsdb.roles.marketing: ["guest"]
#####################################################

##############################################################################################
# Below here you configure what authenticated and authorized users are allowed to do (or not)#
# This maps to the acl defined in the searchguard configuration index                        #
#############################################################################################

# Configure the field level security (fls) filter to filter _source 
searchguard.flsfilter.names: ["guest"]
searchguard.flsfilter.guest.source_excludes: ["user"]
  • ACL:
 {
    "acl": [
    {    
        "__Comment__": "By default no filters are executed and no filters are by-passed. In such a case a exception is thrown and access will be denied.",
        "filters_bypass": [],
        "filters_execute": []
     },
     {
           "__Comment__": "For role 'admin' all filters are bypassed (so none will be executed). This means unrestricted access.",
           "roles": [
               "admin"
           ],
           "filters_bypass": ["*"],
           "filters_execute": []
     },
     {
           "__Comment__": "For role 'guest' all filters will be executed.",
           "roles": [
               "guest"
           ],
           "filters_bypass": [],
           "filters_execute": ["*"]
     }
     ]
}

Attached is the elasticsearch log. 
data_manager.log

Lingxiao Xia

unread,
Jun 7, 2015, 10:50:29 PM6/7/15
to search...@googlegroups.com
Btw, i get the following error if i refresh the page:

 Fatal Error

Courier Fetch: Cannot read property 'timed_out' of undefined

in...@search-guard.com

unread,
Jun 9, 2015, 10:30:16 AM6/9/15
to search...@googlegroups.com, lingxi...@dragonlaw.com.hk
first: why "searchguard.enabled: false" ?

second: seems the "ArrayIndexOutOfBoundsException" is coming from kibana, there is no error in the logfile you provided. Pls. look into the kibana logs
and make sure you configured kibana to use a username/password in kibana.yml

# If your Elasticsearch is protected with basic auth, this is the user credentials
# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana
# users will still need to authenticate with Elasticsearch (which is proxied thorugh
# the Kibana server)
# kibana_elasticsearch_username: user
# kibana_elasticsearch_password: pass

Lingxiao Xia

unread,
Jun 10, 2015, 10:19:12 PM6/10/15
to search...@googlegroups.com, lingxi...@dragonlaw.com.hk
Sorry the configuration is for when elasticsearch is starting, i disabled searchguard in the beginning because i had to create the acl entry, i enabled searchguard after that and restarted the cluster. 
and yes i did configure kibana_elasticsearch_user and kibana_elasticsearch_pass and actually gave it admin power(which is different from user `marketing`'s privileges, i don't know if that would cause a problem but i doubt so). so yea... anyone got kibana to work and would like to share a set of working configuration? please?

SG

unread,
Jun 11, 2015, 4:21:13 PM6/11/15
to search...@googlegroups.com
we will provide a guide, how to setup and configure search guard with kibana, soon
> at handleError (
> http://127.0.0.1:9548/index.js?_b=6004:42664:22
> )
> at DocRequest.
> AbstractReqProvider.AbstractReq.handleFailure (http://127.0.0.1:9548/index.js?_b=6004:42740:14
> )
> at
> http://127.0.0.1:9548/index.js?_b=6004:42945:17
>
> at Array.forEach (native)
> at
> http://127.0.0.1:9548/index.js?_b=6004:42943:18
>
> at wrappedErrback (
> http://127.0.0.1:9548/index.js?_b=6004:20897:78
> )
> at
> http://127.0.0.1:9548/index.js?_b=6004:21030:76
>
> at Scope.$eval (
> http://127.0.0.1:9548/index.js?_b=6004:22017:28
> )
> at Scope.$digest (
> http://127.0.0.1:9548/index.js?_b=6004:21829:31
> )
> at Scope.$apply (
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4e331b3f-efe9-49f5-96c0-ac05235045fe%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Lingxiao Xia

unread,
Jun 13, 2015, 8:21:35 AM6/13/15
to search...@googlegroups.com
Thank you so much!!!

GoldmanDev

unread,
Sep 16, 2015, 8:55:23 PM9/16/15
to Search Guard
Will a guide be provided?? I am having some issues connecting ES to Searchguard
Reply all
Reply to author
Forward
0 new messages