sentinl: Using 6.4.2 Sentinl results in 'Watchers: list watchers : list watcher : Authentication Exception'

System Details

Versions

Type Version
Kibana 6.4.2
Elasticsearc 6.4.2
Server OS Docker on Redhat 7.5
Browser Firefox

Original Install Method

Bug Details

Bug Description

Steps to Reproduce

  1. Access the Sentinl app fails with the following errors: Watchers: list watchers : list watcher : Authentication Exception More Info shows:
SentinlError@https://wa-knsg-elkdev1.acme.local:5601/bundles/sentinl.bundle.js:50:241102
_callee4$@https://wa-knsg-elkdev1.acme.local:5601/bundles/sentinl.bundle.js:50:262600
tryCatch@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:43:57426
invoke@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:43:61311
defineIteratorMethods/</prototype[method]@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:43:58547
step@https://wa-knsg-elkdev1.acme.local:5601/bundles/sentinl.bundle.js:50:259118
step/<@https://wa-knsg-elkdev1.acme.local:5601/bundles/sentinl.bundle.js:50:259286
run@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:43:25850
notify/<@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:43:26090
flush@https://wa-knsg-elkdev1.acme.local:5601/bundles/vendors.bundle.js:173:132168

Expected Behavior

No errors

Kibana logs and/or server output (attached if relevant)

kibana-wazuh-kibana-5 | 2018-10-31T03:46:55.042466000Z {"type":"log","@timestamp":"2018-10-31T03:46:55Z","tags":["error","Sentinl","scheduler"],"pid":1,"message":"fail to schedule watchers: list watchers : find : Request Timeout after 30000ms"}  
kibana-wazuh-kibana-5 | 2018-10-31T03:47:07.888242000Z {"type":"error","@timestamp":"2018-10-31T03:47:07Z","tags":["warning","stats-collection"],"pid":1,"level":"error","error":{"message":"Request Timeout after 30000ms","name":"Error","stack":"Error: Request Timeout after 30000ms\n    at /usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:354:15\n    at Timeout.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:383:7)\n    at ontimeout (timers.js:498:11)\n    at tryOnTimeout (timers.js:323:5)\n    at Timer.listOnTimeout (timers.js:290:5)"},"message":"Request Timeout after 30000ms"}  
kibana-wazuh-kibana-5 | 2018-10-31T03:47:07.891640000Z {"type":"log","@timestamp":"2018-10-31T03:47:07Z","tags":["warning","stats-collection"],"pid":1,"message":"Unable to fetch data from kibana collector"}

No other errors logged in ElasticSearch

Any additional information

I am running SearchGuard 23.2. I have also applied the SearchGuard requirements as documented here: https://docs.search-guard.com/latest/search-guard-sentinl I’m not sure if this a security exception within SearchGuard as SearchGuard logs permission issues encountered and no such errors have been logged.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 19 (6 by maintainers)

Most upvoted comments

Just in case, I’m using the following rules with ReadonlyREST (not optimal, just a working example):

    - name: 'Sentinl main ro'
      auth_key_sha256: '<key>'
      actions: [ 'cluster:monitor/main', 'indices:admin/template/get', 'indices:admin/template/put', 'indices:data/read/*' ]
      indices: [ '*logstash*' ]
      verbosity: error

    - name: 'Sentinl kibana/watcher rw'
      auth_key_sha256: '<key'>
      actions: [ 'indices:data/read/*', 'indices:data/write/*' ]
      indices: [ '.kibana*', 'watcher*' ]
      verbosity: error```

@sergibondarenko yep, the latest package is running fine (… wihout any specific ReadonlyREST configuration). Thanks!

The fixed package works for me, thanks

@lbesuchet the release was published 7 days ago but yesterday I replaced sentinl-v6.4.2.zip package

@camAtGitHub @lbesuchet There is a pkg with fix, please try it https://github.com/sirensolutions/sentinl/releases/download/tag-6.4.2-0/sentinl-v6.4.2.zip

An example of Search Guard and Sentinl configuration.

1. Configure Sentinl

cd kibana/config

Minimal required config in kibana.yml

sentinl:
  es:
    protocol: https
  settings:
    authentication:
      enabled: true
      username: sentinl
      password: password
    email:
      active: true

2. Configure Search Guard

cd elasticsearch/plugins/search-guard-6/sgconfig

Create a role in sg_roles.yml file

sg_sentinl:
  cluster:
    - indices:data/read/scroll
    - indices:admin/template/put
    - CLUSTER_MONITOR
    - CLUSTER_COMPOSITE_OPS
  indices:
    '?kibana*':
      '*':
        - MANAGE
        - DATA_ACCESS
        - DELETE
        - INDEX
        - SEARCH
    'watcher*':
      '*':
        - MANAGE
        - DATA_ACCESS
        - DELETE
        - CREATE_INDEX
        - INDEX
        - SEARCH
    '*':
      '*':
        - indices:monitor/stats
        - indices:admin/mappings/get
        - READ
        - SEARCH

Create hash from a clear text password

../tools/hash.sh -p password
$2y$12$jgSL8jvZtNuQISaf/hp18ugp23pdpv3ryLHcxpf9lenNyU0uITOb2

Create sentinl user, use the hash and map the role in file sg_internal_users.yml

sentinl:
  hash: $2y$12$jgSL8jvZtNuQISaf/hp18ugp23pdpv3ryLHcxpf9lenNyU0uITOb2
  roles:
    - sentinl

Apply changes while Elasticsearch is running

cd elasticsearch
./plugins/search-guard-6/tools/sgadmin.sh \
   -cd plugins/search-guard-6/sgconfig/ \
   -cacert config/root-ca.pem \
   -cert config/kirk.pem \
   -key config/kirk-key.pem  \
   -nhnv -icl

More

Read Search Guard docs for more details.