For any future reference, the opendistro_security.cookie.secure option sets the secure flag on the cookies. If you access your kibana instance over http (not https), these cookies are not sent over the unsecured connection. In general the secure option prevents cookies from being sent over an unsecured connection.

Thanks for the quick reply! The cherry pick 3886e95 didn't fix it, but your proposed change in #4357 did. Can be closed for me.

I also observed this behavior after an upgrade to 1.8.6 (from something old). Any group pad results in "You do not have permission to access this pad". I also tried to disable the access restrictions to the pad (via setPublicStatus), which at least changes the behavior. After this, the pad is stuck at "Loading..." I also found these errors in the logs when trying to load the "public" group pad:

[ERROR]  console - (node:16329) UnhandledPromiseRejectionWarning: ReferenceError: sesionAuthorID is not defined
    at Object.exports.checkAccess (/[...]/src/node/db/SecurityManager.js:129:56)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async Socket.<anonymous> (/srv/www/htdocs/pad.fs.tum.de/src/node/handler/SocketIORouter.js:101:34)

[WARN] console - handleClientReady(): client submitted no author name. Using "Anonymous". See: issue #3612

I used this to set up the group etc.:

#!/bin/bash
host="https://[...]"
apikey="[...]"
apiversion="1"

authorName="tester"
validUntil=$(($(date +%s) + 10000))
padName="Test"
echo "validUntil ${validUntil}"

groupID=$(curl -s "${host}/api/${apiversion}/createGroup?apikey=${apikey}" | jq -r '.data.groupID')
authorID=$(curl -s "${host}/api/${apiversion}/createAuthorIfNotExistsFor?apikey=${apikey}&name=${authorName}" | jq -r '.data.authorID')
sessionID=$(curl -s "${host}/api/${apiversion}/createSession?apikey=${apikey}&groupID=${groupID}&authorID=${authorID}&validUntil=${validUntil}" | jq -r '.data.sessionID')

echo "Group   ID: ${groupID}"
echo "Author  ID: ${authorID}"
echo "Session ID: ${sessionID}"

padID="${groupID}\$${padName}" 
echo ${padID}

sessionInfo=$(curl -s "${host}/api/${apiversion}/getSessionInfo?apikey=${apikey}&sessionID=${sessionID}")
echo "SessionInfo: ${sessionInfo}" 
groupPad=$(curl -s "${host}/api/${apiversion}/createGroupPad?apikey=${apikey}&groupID=${groupID}&padName=${padName}" | jq -r '.message')
echo "Group  Pad: ${groupPad}"
padInfo=$(curl -s "${host}/api/${apiversion}/getPublicStatus?apikey=${apikey}&padID=${padID}")
echo "Pad Info: ${padInfo}"

#setPublic
padPublic=$(curl -s "${host}/api/${apiversion}/setPublicStatus?apikey=${apikey}&padID=${padID}&publicStatus=True")
echo "Pad public ${padPublic}"

I couldn't find an easy way with curl to check if the pad would load, so I tested this manually. I also tried setting the username with "userName=tester" as get parameter, but it didn't change anything. Also tried different api versions, but it didn't change anything.

I'm running on debian buster being an apache2 proxy (set up according to: https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy), node v13.13.0 and mariadb. I also tried running the cleanRun, but to no avail.

To get back to a working state (allow all) I tried to debug the SecurityManager.js. It seems that sessionAuthorID is undefined when I try to access the pad.