Permissions for metricbeat to load dashboards into Kibana

[Imran Arshad]

- Elasticsearch: 6.1.0 

- SearchGuard: 6.1.0-20

- No enterprise modules enabled

I have ELK stack deployed on Docker with SearchGuard enabled, and the searchguard-kibana-plugin installed. I am using the docker-elk repo with SearchGuard enabled. ElasticSearch has the Searchguard demo roles and users enabled. 

I am trying to ship Metricbeat logs to my ELK. I have the following configuration in my metricbeat.yml:

output.elasticsearch:

  hosts: ["localhost:9200"]

  username: "admin"

  password: "admin"

setup.kibana:

  host: "localhost:5601"

  username: "admin"

  password: "admin"

So I am basically using the demo 'admin' user (which I think has access to all indices. I also tried with the demo 'kibanaserver' user).

The issue is that whenever I run the metricbeat setup step, I get access denied from Kibana. The logs in Metricbeat look like this:

$ ./metricbeat setup

Loaded index template

Exiting: Error importing Kibana dashboards: fail to import the dashboards in Kibana: Error importing directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana: Failed to import index-pattern: Failed to load directory /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern:

  error loading /Users/test/Code/Elastic/metricbeat-6.1.0-darwin-x86_64/kibana/default/index-pattern/metricbeat.json: 403 Forbidden. Response: {"statusCode":403,"error":"Forbidden","message":"Error: Unauthorized"}

The logs in Kibana look like this:

{"type":"response","@timestamp":"2018-01-18T22:47:17Z","tags":[],"pid":1,"method":"get","statusCode":200,"req":{"url":"/api/status","method":"get","headers":{"host":"localhost:5601","user-agent":"Go-http-client/1.1","accept":"application/json","content-type":"application/json","accept-encoding":"gzip"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":200,"responseTime":39,"contentLength":9},"message":"GET /api/status 200 39ms - 9.0B"}

{"type":"response","@timestamp":"2018-01-18T22:47:17Z","tags":[],"pid":1,"method":"post","statusCode":403,"req":{"url":"/api/kibana/dashboards/import?force=true","method":"post","headers":{"host":"localhost:5601","user-agent":"Go-http-client/1.1","content-length":"250474","accept":"application/json","content-type":"application/json","kbn-version":"6.1.0","accept-encoding":"gzip"},"remoteAddress":"172.18.0.1","userAgent":"172.18.0.1"},"res":{"statusCode":403,"responseTime":13,"contentLength":9},"message":"POST /api/kibana/dashboards/import?force=true 403 13ms - 9.0B"}

When I use Kibana without SG, the dashboards I imported without any error. I am assuming this has to do with the permissions on SearchGuard. Can someone please guide me in the right direction?

[Jochen Kressin]

I think this is a bug in the Kibana plugin. Can you please open an issue here: https://github.com/floragunncom/search-guard-kibana-plugin/issues?

[Imran Arshad]

Thanks Jochen. I have raised an issue on Github.

[Chadwick Wendling]

Imran,

Did you get this working? I am having the same issue. When I implemented the fix, I am still getting the error. 

Thanks.

[SG]

working on this here https://github.com/floragunncom/search-guard-kibana-plugin/issues/58

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c9b7c580-1ad8-4569-a17a-f7a6cb88e668%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.