Kibana: [Ingest Management] a user with the role kibana_admin cannot login

Created on 25 Jun 2020  路  6Comments  路  Source: elastic/kibana

Kibana version:
8.0.0-SNAPSHOT
Elasticsearch version:
8.0.0-SNAPSHOT
Server OS version:
Linux #1 SMP Tue Sep 3 02:58:08 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux (SNAPSHOT Docker container)
Browser version:
Chrome 83
Browser OS version:
MacOS 10.15.5
Original install method (e.g. download page, yum, from source, etc.):
Helm chart
Describe the bug:

Users that are not superusers cannot login in Kibana. You can see a trace related to ingest management every time you try to login User not authorized for "/api/ingest_manager/check-permissions": responding with 404

Steps to reproduce:

  1. Enable ingest management and fleet in Kibana
  2. logout
  3. try to login with a user with Kibana_admin role
  4. Kibana return a 403 error
  5. you see the message User not authorized for "/api/ingest_manager/check-permissions": responding with 404 in logs

Expected behavior:

The user login into Kibana.

Screenshots (if relevant):

Errors in browser console (if relevant):

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Provide logs and/or server output (if relevant):

User not authorized for "/api/ingest_manager/check-permissions": responding with 404

Any additional context:

A Kibana without ingest management full configured using the same cluster can login as expected with the same user.

    xpack.ingestManager.enabled: true
    xpack.ingestManager.epm.enabled: true
    xpack.ingestManager.fleet.enabled: true
    xpack.ingestManager.epm.registryUrl: 'https://epr-staging.elastic.co'
beta1 Ingest Management bug
Source
picture kuisathaverat

Most helpful comment

We require user to be superuser and Kibana_admin is not enough to use ingest manager right now, but I think you should see a screen that display that, I am going to investigate

picture nchaulet on 25 Jun 2020
👍2

All 6 comments

Pinging @elastic/ingest-management (Team:Ingest Management)

elasticmachine picture elasticmachine on 25 Jun 2020

@ruflin I think we do require the super user on everything should we try to require the _kibana_admin_ role?

ph picture ph on 25 Jun 2020

We require user to be superuser and Kibana_admin is not enough to use ingest manager right now, but I think you should see a screen that display that, I am going to investigate

nchaulet picture nchaulet on 25 Jun 2020
👍2

@ph the thing is that only superusers can login after enable ingest management, all the rest fail to login.

kuisathaverat picture kuisathaverat on 25 Jun 2020

Oh got it, I think we are doing some api calls in the ingest manager client side plugin start, that we should not do if the user do not have the right permission.

nchaulet picture nchaulet on 25 Jun 2020

This PR merged yesterday will fix that https://github.com/elastic/kibana/pull/69505

Just tested with a kibana_admin user

Screen Shot 2020-06-25 at 11 25 36 AM

nchaulet picture nchaulet on 25 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

bhavyarm picture bhavyarm  路  3Comments
spalger picture spalger  路  3Comments
celesteking picture celesteking  路  3Comments
timroes picture timroes  路  3Comments
tbragin picture tbragin  路  3Comments