Internal Server Error for Deshboard only mode user - elastic-stack

I have created dashboard and shared it to other computer which is demo user with the role-> kibana_dashboard_only_user.
now when i open shared with demo user login credentials it shows error like
Internal Server Error
Error: Internal Server Error
SearchError#http://10.42.35.14:5601/bundles/commons.bundle.js:3:298201
_callee2$/<.searching</<#http://10.42.35.14:5601/bundles/commons.bundle.js:4:324908
processQueue#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:199687
scheduleProcessQueue/<#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:200650
$digest#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:210412
$apply#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:213219
done#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:132717
completeRequest#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:136329
requestLoaded#http://10.42.35.14:5601/built_assets/dlls/vendors.bundle.dll.js:427:135225

Does the user have read permissions on the index? Just dashboard permissions alone are not enough; this is unfortunately not super obvious.
The user (or role) needs to have at least the read permission on the desired index in addition to the dashboard-only role.
Check the documentation here:
https://www.elastic.co/guide/en/kibana/current/xpack-dashboard-only-mode.html#grant-read-access-to-indices
BTW the feature has generally been reworked and is deprecated in the old form

Related

What is the workflow for a basic Auth OIDC with Keycloak

I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.

RHPAM + KEYCLOAK/RHSSO -> Login failed: Not Authorized

So I'm integrating RHSSO (based on keycloack) with RH Business Central (RHPAM) as authoring instance and no matter what I do after it redirects from the RH-SSO login page to the target/landing page of the RHPAM/BusinessCentral I always get the Login failed: Not Authorized
I have already followed the steps detailed here but still no-go; has anyone come across this before?
https://access.redhat.com/solutions/6859451
enter image description here
if it come to page with error unauthorized message usually there are role mapping issues, please double check if user indeed has roles that needed for login to rhpam central.

Keycloak says it imports users but they don't show up

I've setup keycloak to import users from an openldap server. As a test run, I went with the default h2 to see if I could get it running. It connects and authenticates correctly. Once I hit synchronize all users, it reports back Success x imported users, 0 changed users. After going into Manage=>Users and clicking on View all Users, it only shows a generic Username user with the email user#user.com.
The only information I get from server.log is the warning message below.
I'm not sure what direction to look for how to fix this. Is there some sort of other place I should look for an error message or some other thing I should try?
2018-12-19 15:56:31,209 WARN [org.keycloak.models.sessions.infinispan.changes.InfinispanChangelogBasedTransaction] (default task-7) Not present cache item for key LoginFailureKey [ realmId=namis. userId=14ed02d1-3ac3-4911-a377-80863f2bde70 ]
Update:
I checked the user_entity table after import and the users are there. Once I go to Manage Users, the users from the realm disappear from the database.
I turned on trace level logging and found the error message
[org.keycloak.storage.UserStorageManager] (default task-1) Removed invalid user 'John Doe'
I searched through the source code and found the function,importValidation, that calls the function which removes the user. This seems to happen when a storage provider is null or validate is called on a user and realm and it returns a null UserModel.
I also had this issue today and it's possible to just remove the username mapper altogether, as the username attribute is already mapped from Username LDAP attribute in User Federation settings.
It turns out I had one of the mappers incorrect. The username mapper was not mapped to the correct ldap attribute.

In IBM Connections can you retrieve another users activity feed?

In IBM Connections 4.0 is there any way to get another users activity stream. I can get my steam with #me but if I try my connections id or another users id I get the following error:
This works:
/opensocial/basic/rest/activitystreams/#me/#following/#all?rollup=true
This returns an error - my id:
/opensocial/basic/rest/activitystreams/7AF0B251-9F97-CA6D-8525-61370072A674/#following/#all?rollup=true
Error 400: The user ID(s) [7AF0B251-9F97-CA6D-8525-61370072A674] is/are not recognized by the system.
And I know this is my ID....
<userid>7AF0B251-9F97-CA6D-8525-61370072A674</userid>
Any suggestions...the manual says the following which doesn't sound good but doesn't totally close the door either:
As per the OpenSocial standard, a given users Activity Stream is retrievable by:
1. Specifying that user (#me in the URLs below, IBM Connections does not generally allow retrieval of other users streams).
Any help would be appreciated....
This should do it: https://connections.ibm.com/common/opensocial/basic/rest/activitystreams/urn:lsid:lconn.ibm.com:profiles.person:91ae7240-8f0a-1028-8400-db07163b51b2/#involved/#all?rollup=true&shortStrings=true&format=atom (plug in the right user id)

Request Tracker for Users created without privileges

I have configured request tracker4 to be an interdepartmental helpdesk solution. The current setup is that users will login to RT using LDAP. Once logged in there account is automatically created. However, their account is created with no privileges.
To fix this I have been having to go to Tools-->Configuration-->Select then put in the users DN name and clicking add I then have to check the box "Let this user be granted rights (Privileged)" I have also tried setting Set($AutoCreate, Privileged); but no luck.
I looked at the user accounts in the sqlite database and noticed that when new user logs in they are indeed created in the database. But with no privileges.
709|tuser3|*NO-PASSWORD*|||||||tuser3|||||||tuser3||tuser3|||||||||||||1|2013-03-08 13:47:38|1|2013-03-08 13:47:38
791|Mayra|*NO-PASSWORD*||||Mayra#**************||Main Office|Mayra Hernandez|||||||Mayra||Mayra||**************|||||||||||1|2013-04-03 21:46:36|1|2013-04-03 21:46:36
797|sdrakeford|*NO-PASSWORD*||Autocreated when added as a watcher||sdrakeford#**************|||Sophia C. Drakeford|||||||sdrakeford||sdrakeford|||||||||||||1|2013-04-04 13:18:58|1|2013-04-04 13:18:58
827|Robert.Troy|*NO-PASSWORD*||||Robert.Troy#*******************||Main Office|Robert Troy|||||||Robert.Troy||Robert.Troy||***************|||||||||||1|2013-04-04 16:11:58|1|2013-04-04 16:11:59
Am I missing something, because usually these things are quite obvious.
The $AutoCreate option takes a hashref with all of the default options you want to pass to the User Create method. Try something like:
Set($AutoCreate, {
Privileged => 1
});
(As an aside, it's generally not recommended to run a production instance on sqlite. You might want to consider converting to MySQL or Postgres.)