Visual Builder appears not to honour Kibana elasticsearch.username/password settings

[ceeeekay]

Kibana version: 5.4.0
Elasticsearch version: 5.4.0
Server OS version: Ubuntu 16.04.2
Browser version: Firefox 53.0.2
Browser OS version: Ubuntu 14.04.5
Original install method (e.g. download page, yum, from source, etc.): Elastic apt repo

Description of the problem including expected versus actual behavior:
Actual: When launching Visual Builder, with Kibana configured to use an Nginx reverse proxy + auth, Visual Builder displays an error: "The request for this panel failed". Time fields are also unavailable in Panel Options, when * is set as Index Pattern, i.e., no data is fetched from Elasticsearch.
Expected: A time series graph of count of all events, and no error message.

Steps to reproduce:

1. Configure Nginx as HTTPS reverse proxy to Elasticsearch, with htauth
2. Configure Kibana with appropriate elasticsearch.username and elasticsearch.password and HTTPS elasticsearch.url
3. Attempt to use Visual Builder

All other Kibana vis and tabs work fine with the auth and Nginx settings the way they are. The problem appears to be restricted to Visual Builder.

I've also tested this is an auth issue with Visual Builder by removing the auth section from Nginx. At this point Visual Builder behaves normally with no errors.

Provide logs and/or server output (if relevant): Kibana log:

May 16 13:19:33 cat-kelp-apps1 kibana[3445]: { Authentication Exception :: {"path":"/*/_field_stats","query":{"level":"indices","ignore_unavailable":true},"body":"{\"fields\":[\"@timestamp\"],\"index_constraints\":{\"@timestamp\":{\"max_value\":{\"gte\":1494811173896,\"format\":\"epoch_millis\"},\"min_value\":{\"lte\":1494897573896,\"format\":\"epoch_millis\"}}}}","statusCode":401,"response":"<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>401 Authorization Required</h1></center>\r\n<hr><center>nginx/1.10.0 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n","wwwAuthenticateDirective":"Basic realm=\"Elasticsearch user required\""}
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:295:15)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:254:7)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:157:7)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at IncomingMessage.bound (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/dist/lodash.js:729:21)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at emitNone (events.js:91:20)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at IncomingMessage.emit (events.js:185:7)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at endReadableNT (_stream_readable.js:974:12)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at _combinedTickCallback (internal/process/next_tick.js:80:11)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:     at process._tickDomainCallback (internal/process/next_tick.js:128:9)
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   status: 401,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   displayName: 'AuthenticationException',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   message: 'Authentication Exception',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   path: '/*/_field_stats',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   query: { level: 'indices', ignore_unavailable: true },
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   body: '<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body bgcolor="white">\r\n<center><h1>401 Authorization Required</h1></center>\r\n<hr><center>nginx/1.10.0 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   statusCode: 401,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   response: '<html>\r\n<head><title>401 Authorization Required</title></head>\r\n<body bgcolor="white">\r\n<center><h1>401 Authorization Required</h1></center>\r\n<hr><center>nginx/1.10.0 (Ubuntu)</center>\r\n</body>\r\n</html>\r\n',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   wwwAuthenticateDirective: 'Basic realm="Elasticsearch user required"',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   toString: [Function],
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   toJSON: [Function],
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   isBoom: true,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   isServer: false,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   data: null,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:   output:
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:    { statusCode: 401,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:      payload:
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:       { statusCode: 401,
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:         error: 'Unauthorized',
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:         message: 'Authentication Exception' },
May 16 13:19:33 cat-kelp-apps1 kibana[3445]:      headers: { 'WWW-Authenticate': 'Basic realm="Authorization Required"' } },

Nginx logs (note no username):

10.2.12.91 - - [16/May/2017:13:19:32 +1200] "GET /*/_mapping/field/*?ignore_unavailable=false&allow_no_indices=false&include_defaults=true HTTP/1.1" 401 204 "-" "-"
10.2.12.91 - - [16/May/2017:13:19:33 +1200] "POST /*/_field_stats?level=indices&ignore_unavailable=true HTTP/1.1" 401 204 "-" "-"
10.2.12.91 - - [16/May/2017:13:19:33 +1200] "GET /*/_mapping/field/*?ignore_unavailable=false&allow_no_indices=false&include_defaults=true HTTP/1.1" 401 204 "-" "-"

Kibana config:

server.port: 443
server.host: "0.0.0.0"
elasticsearch.url: "https://cat-kelp-query2:9200"
elasticsearch.preserveHost: true
kibana.index: ".kibana"
kibana.defaultAppId: "discover"
elasticsearch.username: "kibana-user"
elasticsearch.password: "xxxxxx"
server.ssl.cert: /etc/nginx/ssl/cat-kelp-apps.crt
server.ssl.key: /etc/nginx/ssl/cat-kelp-apps.key
elasticsearch.ssl.verify: false

Nginx proxy/auth fragment:

  location ~ ^/.* {
    satisfy any;
    allow 127.0.0.0/8;
    deny all;
    auth_basic "Elasticsearch user required";
    auth_basic_user_file /etc/nginx/conf.d/es-user.htpasswd;
    proxy_pass http://localhost:9201;
    proxy_read_timeout 90;
  }

[epixa]

To be clear, essentially no end-user features in Kibana use the elasticsearch.username and elasticsearch.password. Those values are only used for the internal server user, which performs background behaviors such as creating the .kibana index on startup and performing Elasticsearch healthchecks.

All end-user requests are authenticated with the credentials of whatever user is currently logged in. How is your authentication proxy passing authentication info? Via a header?

[ceeeekay]

@epixa sorry about the confusion on my end re. use of elasticsearch.username - I was aware of its use and promptly forgot about that while debugging this issue (which makes the topic rather incorrect as well).

The fact remains that Visual Builder does not appear to provide auth to nginx, as you can see in the nginx logs above. All other log entries from Kibana contain username info; either the elasticsearch.username user, or the currently auth'ed Kibana user, e.g.,

10.2.12.91 - ceeeekay [18/May/2017:15:56:09 +1200] "GET /.kibana/_mapping/*/field/_source HTTP/1.1" 200 460 "-" "-"

vs

10.2.12.91 - - [18/May/2017:15:56:11 +1200] "GET //_mapping/field/?ignore_unavailable=false&allow_no_indices=false&include_defaults=true HTTP/1.1" 401 204 "-" "-"

We're passing auth as a standard http auth header, which works for all other aspects of Kibana.

Cheers.

[epixa]

That is really weird. I just checked the code, and it seems to be doing what it should be doing in order to pass along authentication headers just like everything else. I haven't had a chance to dig into this further, but I'm going to mark this as a bug now in case anyone else is free to look into it.

[thomasneirynck]

this may be fixed with #11656. Going into next patch release 5.4.1.

[ceeeekay]

@epixa @thomasneirynck resolved in 5.4.1 - thanks :)