Home > Enterprise >  Cannot Setup Elasticsearch/Kibana from Docker: Kibana "missing authentication credentials for R
Cannot Setup Elasticsearch/Kibana from Docker: Kibana "missing authentication credentials for R

Time:08-29

I am unable to set up a development Elasticsearch/Kibana instance from Docker images. I cannot get my Kibana service to connect to my Elasticsearch service.

I have the following docker-compose.yml file.

services:

  elasticsearch:
    container_name: elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch:8.4.0
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=true
    ports:
      - "9200:9200"

  kibana:
    container_name: kibana
    image: docker.elastic.co/kibana/kibana:8.4.0
    environment:
      - ELASTICSEARCH_URL=http://elasticsearch:9200
      - xpack.security.enabled=true
    ports:
      - "5601:5601"

I start with no containers created and run docker compose up. From the instructions in Start the Elastic Stack with security enabled automatically, I was expecting to see the following:

A password is generated for the elastic user and output to the terminal, plus an enrollment token for enrolling Kibana.

No password is generated. When I look through the logs I see the following from the Kibana container.

[ERROR][elasticsearch-service] Unable to retrieve version information from Elasticsearch nodes. security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_nodes?filter_path=nodes.*.version,nodes.*.http.publish_address,nodes.*.ip]
2022-08-27T03:18:39.927296590Z 

When I try to connect to Kiabana via http://localhost:5601 I see a "Kibana server is not ready yet." message that never goes away.

There are no errors in the Elasticsearch logs. That service appears to have started without a problem.

On the Elasticsearch github, Issue #85047: Elastic User Password Not Generated on New Container, also describes the password not automatically being generated. The solution in that case was to run docker compose up without a -d switch, which is what I am already doing.

There is a similar error reported on the Elastic discussion boards, but that was resolved with "The error was that my kibana.yml wasn't in the config-directory." This isn't the case with me.

As far as I call tell, I am doing the same thing as what works in this blog post.

I have tried various modifications to my docker-compose.yml file (e.g. replace ELASTICSEARCH_URL with ELASTICSEARCH_HOST or ELASTICSEARCH_HOSTS, add elasticsearch.username=kibana_system to the Kibana environment variables, or specify an ELASTIC_PASSWORD.). I always get the same error. (Though if I set an ELASTIC_PASSWORD=password environment variable in the Elasticsearch container I can connect via http://localhost:9200 and verify that the Elasticsearch service is running.)

After this failed to work I tried to manually configure minimal security by following the instructions in Set up minimal security for Elasticsearch, but hit the same problem.

If I use elasticsearch-reset-password as described in the manual minimum security setup instructions to set the password for kibana_system to password, the following curl command from my host shell

curl --user kibana_system -X GET "http://localhost:9200/?pretty"

returns a valid response from Elasticsearch. I can also retrieve

curl --user kibana_system -X GET "http://localhost:9200/_nodes?filter_path=nodes.*.version,nodes.*.http.publish_address,nodes.*.ip"

the URL mentioned in the Kibana logs error.

So apparently the kibana_system user is being created with the right password, but it's not getting used properly during Kibana startup.


The following docker-compose.yml copied from this blog post file works.

services:

  elasticsearch:
    image: elasticsearch:2.4
    ports:
      - "9200:9200"
    environment:
      - discovery.type=single-node

  kibana:
    image: kibana:4.6
    ports:
      - "5601:5601"
    environment:
      - ELASTICSEARCH_URL=http://elasticsearch:9200

I can immediately log in to Kibana at http://localhost:5601.

Presumably versions 2.4/4.6 are old enough that the security features that are causing problems were not implemented yet.


Version 8.4.0 if I copy the files from the Install Elasticsearch with Docker instructions.

CodePudding user response:

Did you try the 'docker-compose.yml' section from the documentation "Install Elasticsearch with Docker' ? Here a tree node cluster is created. Remember to first provide the .env file. TLS is configured through the setup on-off service. I just tried it, and it works as expected without errors.

# my folder-name is elastic84

la
total 32
-rw-r--r--  1 BJBRA  staff   728B Aug 28 12:40 .env
-rw-r-----  1 BJBRA  staff   1.2K Aug 28 12:45 ca.crt
-rw-r--r--  1 BJBRA  staff   7.9K Aug 28 12:39 docker-compose.yml

docker compose ps
NAME                 COMMAND                  SERVICE             STATUS              PORTS
elastic84-es01-1     "/bin/tini -- /usr/l…"   es01                running (healthy)   0.0.0.0:9200->9200/tcp, 9300/tcp
elastic84-es02-1     "/bin/tini -- /usr/l…"   es02                running (healthy)   9200/tcp, 9300/tcp
elastic84-es03-1     "/bin/tini -- /usr/l…"   es03                running (healthy)   9200/tcp, 9300/tcp
elastic84-kibana-1   "/bin/tini -- /usr/l…"   kibana              running (healthy)   0.0.0.0:5601->5601/tcp
elastic84-setup-1    "/bin/tini -- /usr/l…"   setup               exited (0)

# we need the ca.crt
docker cp elastic84-es01-1:/usr/share/elasticsearch/config/certs/ca/ca.crt .

curl --cacert ca.crt -u elastic:secret https://localhost:9200/_cat/nodes?v
ip         heap.percent ram.percent cpu load_1m load_5m load_15m node.role   master name
172.21.0.5           63         100   2    0.06    0.19     0.42 cdfhilmrstw *      es03
172.21.0.3           22         100   2    0.06    0.19     0.42 cdfhilmrstw -      es01
172.21.0.4           52         100   2    0.06    0.19     0.42 cdfhilmrstw -      es02

# fire up kibana
open https://localhost:5601

CodePudding user response:

The solution for what I was trying to do is to run without security enabled.

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.4.0
    container_name: es-node01
    ports:
      - "9200:9200"
      - "9300:9300"
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - xpack.security.enrollment.enabled=false
  kibana:
    image: docker.elastic.co/kibana/kibana:8.4.0
    container_name: kib-01
    ports:
      - "5601:5601"

A complete answer is detailed in this thread on the Elastic discussion board.

The summary is that starting with version 8.0, Elastic turns on security by default. In the simplest case, Elastic also sets up the security configuration for you as described in Install Elasticsearch with Docker. However, this automatic setup procedure does not work if you use a Docker compose file instead of running the docker run commands directly. The reasons are complicated and discussed in the thread linked above.

If you want to use Docker compose you can either manually set up security yourself or turn off security.

In my case I am writing one-off proofs of concept so having no security is fine. I'll figure out how to set up security manually if ever need to put something into production.

If I had known to phrase the question as "How do I turn off the automatic security configuration in Elastic versions 8.0 and greater?" the answer would have been straightforward, but I had to figure out the answer in order to realize that was the question to ask.

  • Related