43

Is it possible to enable authentication in Kibana in order to restrict access to a dashboard to only be accessible to particular users?

Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
Mangoski
  • 2,058
  • 5
  • 25
  • 43

5 Answers5

38

Kibana itself doesn't support authentication or restricting access to dashboards.

You can restrict access to Kibana 4 using nginx as a proxy in front of Kibana as described here: https://serverfault.com/a/345244. Just set proxy_pass to port 5601 and disable this port on firewall for others. This will completly enable or disable Kibana.

Elastic also has a tool called Shield which enables you to manage security of elasticsearch. With Shield you can for example allow someone to analyze data in specific indexes with read-only permissions. https://www.elastic.co/products/shield

Edit: Elastic has an issue on github and they recommend to use Shield.

  1. Install Shield (plugin for elasticsearch) following these instructions
  2. Configure roles for Kibana users
  3. Configure Kibana to work with Shield

Remember Shield provides only index-level access control. That means user A will be able to see all dashboards but some of them will be empty (because he doesn't have access to all indices).

Community
  • 1
  • 1
Luděk Veselý
  • 459
  • 3
  • 5
  • 1
    Is it possible for me to restrict dashboards in kibana using nginx as a proxy. Consider there are 2 users User A and User B. User A can see only one dashobard among 2 in Kibana while User B can view all the dashboards in kibana. – Mangoski May 11 '15 at 08:42
  • 4
    Probably worth noting here - whilst elasticsearch can be had free, `shield` is subscription and thus can be used on trial for 30d , but will have an ongoing cost. – Sobrique Jan 07 '16 at 11:16
  • 2
    @Sobrique Try this: https://github.com/floragunncom/search-guard - it shoud be free alternative to shield. – Luděk Veselý Jan 23 '16 at 19:12
  • 1
    I would discourage to apply the access control at the HTTP level (unless you're only interested in HTTP Basic Auth for a single root user). You can have secure read only Kibana dashboards + show only some indices with this plugin: https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin – sscarduzio Apr 04 '16 at 21:44
  • 1
    The official package is now called "x-pack" (formerly shield, A free 30 days trial and then a subscription) https://www.elastic.co/products/x-pack/security. Another option is to use Elastic's hosted solution, called "Cloud", with its built in x-pack. (A free 14 days trial and then a subscription) https://www.elastic.co/cloud/as-a-service – mork May 01 '17 at 06:28
  • @LuděkVeselý DMCA takedown. search-guard is no more – Souradeep Nanda Sep 26 '19 at 05:39
  • Search Guard is alive and kicking: https://docs.search-guard.com/latest/ – Jochen Kressin Sep 26 '19 at 07:11
12

Check this plugin named elasticsearch-readonlyrest. It allow easy access control, by authentication or ip/network, x-forwarded-for header and allows one to setup read-write or read-only access in kibana and limit indexes access per user. It is simple to setup and should give enough control for most people.

If more control is needed, you can use the search-guard, a free alternative to shield.

higuita
  • 2,127
  • 20
  • 25
  • I am using this on elasticsearch database. does this support securtiy in kibana also ? – Luv33preet Jun 30 '17 at 10:50
  • 2
    yes, this will request auth both in elasticsearch access and in kibana (as it requests the browser to access to elasticsearch also). The paid version also have a kibana plugin to also control what to show in kibana for each user – higuita Jul 03 '17 at 16:08
3

Kibana4 doesn't currently support this.

gillyb
  • 8,760
  • 8
  • 53
  • 80
0

I have achieved authentication by installing haproxy.

  1. Restrict kibana locally

$sudo nano /etc/kibana/kibana.yml

server.host: "localhost"

2.Install haproxy in same machine where kibana installed

$ sudo apt update && sudo apt install haproxy

$ sudo nano /etc/haproxy/haproxy.cfg

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode    http
option  httplog
option  dontlognull
    timeout connect 10m
    timeout client  10m
    timeout server  10m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

userlist UsersFor_Kibana
    user kibana insecure-password myPASSWORD

frontend localnodes
     bind *:80 
     mode http
     default_backend nodes

backend nodes 
   acl AuthOkay_Kibana http_auth(UsersFor_Kibana) 
   http-request auth realm Kibana if !AuthOkay_Kibana
   mode http
   balance roundrobin
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   option httpchk HEAD / HTTP/1.1\r\nHost:localhost
   server server1 127.0.0.1:5601 check

username :-"kibana" password :- "myPASSWORD"

When you browse http://IP:80 one pop-up ll come for authentication.

Shree Prakash
  • 2,052
  • 2
  • 22
  • 33
0

Old question but I wanted to add that there is an open source version of elk from aws. You might be able to use the plugin in the version from elastic.co. https://github.com/opendistro-for-elasticsearch/security

Clintm
  • 4,505
  • 3
  • 41
  • 54