-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automated Reporting triggered using Apikey because authorization fails #76210
Comments
Pinging @elastic/kibana-security (Team:Security) |
Hey @lucabelluccini, I see the same results as you in terms of the I created the {
"username" : "toto",
"roles" : [
"reporting_user",
"kibana_admin",
"key"
],
"full_name" : "",
"email" : "",
"metadata" : { },
"enabled" : true,
"authentication_realm" : {
"name" : "native1",
"type" : "native"
},
"lookup_realm" : {
"name" : "native1",
"type" : "native"
},
"authentication_type" : "realm"
} I created an API key using the
Which gave me: {
"id" : "3g3MSXQBVO8PKDtGp5QH",
"name" : "my-api-key",
"api_key" : "gle3H2e-Rr6ghOMm6_3azw"
} Base64 encoding
I was also able to do this with the The error you received ( I agree that there is an issue with how Reporting authorizes access - since it relies on role names, and authentication via API Keys does not return the set of roles from the backing user. |
This is the reason that Reporting shows that the user is "unable to generate reports." As you say, we rely on finding the role names of the user, and matching them against the allowed roles. @legrego any suggestions on how we can move forward with this? Is it at all possible to get back the original role names in the authenticate API when it is ApiKey auth? |
I don't think there's any way to make this work while still relying on role names. If we want reporting to work with API keys then it really needs to move to a Kibana Application privilege. |
I agree with Tim - moving to a Kibana Application privilege is likely the way forward here |
We should fix the documentation and any mention we can find that suggests to use API Key authorization to run a report. I filed a separate issue to decide how to move away from the role-based authorization model: #76964 |
+1 to this issue - I was trying to add snapshots to some code that already uses API keys and was very surprised to find my superuser's API key doesn't have permission to generate reports. It sounds like the work-around in the mean time is to switch to user-based authentication / basic auth? |
Pinging @elastic/kibana-app-services (Team:AppServices) |
Pinging @elastic/kibana-reporting-services (Team:Reporting Services) |
Depends on #19914 |
Kibana version: 7.8.1, 7.9.0
Elasticsearch version: aligned
Describe the bug:
It is not possible to trigger an automated PDF report using the POST URL and using the Apikey authentication (which should be enabled by default as per https://www.elastic.co/guide/en/kibana/master/kibana-authentication.html#http-authentication)
Steps to reproduce:
elastic
(superuser)elastic
curl
request as follows:Response:
Expected behavior:
Start the generation of the PDF report.
Comments:
reporting_user
role, as it expects role descriptions, not role names./api/saved_objects/_find?type=index-pattern&search_fields=title&search=*
> Response 403/api/security/role
> Response OKnative
custom user (toto
), instead of areserved
user (elastic
) and I get the same behavior.This is the output when I request my authentication info from Elasticsearch using
GET _security/_authenticate
(usertoto
logged in in Basic auth):The output when hitting the same API using an API key generated from
toto
(apikey auth):The output when hitting the same API using an API key generated from
elastic
(apikey auth):Given such results, it seems the ApiKey authentication is not handled in a uniform way across the APIs.
Please let me know if we should open a more generic issue (instead of focusing on Reporting).
The text was updated successfully, but these errors were encountered: