kibana access es always with user "kibanaserver"

[tuse...@gmail.com]

No matter what I config elasticsearch.username and elasticsearch.password in kibana.yml and no matter what valid user I  really use, Kibana access ES always with user "kibanaserver".

such as I have logined in with admin, I want to view all indices in index management, then es log print error:

[2018-10-09T23:12:35,644][INFO ][c.f.s.c.PrivilegesEvaluator] No index-level perm match for User [name=kibanaserver, roles=[], requestedTenant=null] Resolved [aliases=[*], indices=[*], allIndices=[*], types=[*], isAll()=true, isEmpty()=false] [Action [indices:monitor/stats]] [RolesChecked [sg_own_index, sg_kibana_server]]

[2018-10-09T23:12:35,644][INFO ][c.f.s.c.PrivilegesEvaluator] No permissions for [indices:monitor/stats]

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version

    SG  6.4.0.15        6.4.0

* Installed and used enterprise modules, if any

  ES SG plugin, Kibana SG plugin

* JVM version and operating system version

 jvm 8, centos 7

* Search Guard configuration files

* Elasticsearch log messages on debug level

* Other installed Elasticsearch or Kibana plugins, if any

[Jochen Kressin]

Can you please post your SG config files and the kibana.yml you are using?

[tuse...@gmail.com]

sg_config.yml is default.

kibana.yml:

server.port: 5601

server.host: "0.0.0.0"

server.name: "kibana-beta"

elasticsearch.username: "kibanaserver"

elasticsearch.password: "kibanaserver"

xpack.security.enabled: false

xpack.monitoring.kibana.collection.enabled: false

xpack.monitoring.ui.enabled: false

# Optional setting that enables you to specify a path to the PEM file for the certificate

# authority for your Elasticsearch instance.

elasticsearch.ssl.certificateAuthorities: [ "/usr/local/kibana/config/root-ca.pem" ]

elasticsearch.ssl.verificationMode: certificate

# Specifies the path where Kibana creates the process ID file.

pid.file: /data/kibana/run/kibana.pid

# Enables you specify a file where Kibana stores log output.

logging.dest: /data/kibana/logs/sys.log

path.data: /data/kibana/data/

searchguard.readonly_mode.roles: ["sg_readall", ...]

在 2018年10月10日星期三 UTC+8上午1:33:53，Jochen Kressin写道：

[Mohammad Idrees]

hi,

I also have the same problem and I am troubleshooting since one week. did you find any solution?

thanks

[Manjula Piyumal]

Hi,

Did anyone find a solution for this? I'm also having the same problem.

Thanks

[Jochen Kressin]

Such an issue never surfaced anywhere in the integration tests, so we need to debug a bit.

A couple of questions:

You write: "No matter what I config elasticsearch.username and elasticsearch.password in kibana.yml ... ". Do you mean that changing these values has no effect? So if you change kibanaserver to something else Kibana will still start? This should not be the case because if these credentials are not correct Kibana can't connect to Elasticsearch at all.

You write " no matter what valid user I  really use". This means you are using Basic Authentication and use the Search Guard login form to log in, correct?

Can you open the Developer Tools in your browser (Chrome example attached) and inspect the HTTP POST request that us authenticating the user (see screenshot)?

And can you inspect the session storage after you logged in? You should see a user entry, what is the value? 

If you navigate to the "Tenants" page, what role is displayed in the upper right corner (also see Screenshot).