Does session_max_idle work in Kibana?

1

I’m using a self signed ES and I’m trying to get session_max_idle to work when logged into Kibana. I’m hoping that I’m able to get a user’s token to expire if they pass the session_max_idle while logged into kibana. I can get it to work when accessing ES directly, but when signed into Kibana, my cookie never expires. Is that possible?

ssl:
      enable: true
      keystore_file: "keystore.jks"
      keystore_pass: testpass
      key_pass: testpass

    access_control_rules:
    - name: "::KIBANA-SRV::"
      type: allow
      auth_key: kib:kib

    - name: Access -- read only 
      indices: ["production",".kibana"]
      filter: "{\"bool\": {\"must\": [{\"query_string\": {\"query\": \"(name.keyword: @{user} AND _index:production) OR (_index:.kibana)\"}}]}}"
      kibana_access: ro
      session_max_idle: 10s
      type: allow
      jwt_auth:
          name: "JWTPublisher"
          roles: ["viewer"]

kibana.yml

  elasticsearch.url: https://localhost:9200
  elasticsearch.ssl.verificationMode: none

es.yml

  http.type: ssl_netty4
2

Hi @seanziee, you should verify if Kibana these days lets the cookie related headers flow all the way to the browser. If not, you can try use the headers whitelist setting in Kibana

3

Amazing!

I added to kibana.yml:

elasticsearch.requestHeadersWhitelist: ['authorization', 'cookie' ]

And now things work… Woot!

1 Like
4

So now that I’m able to pull in the cookie from the browser, is it possible for ROR to take the auth directly from the cookie? I.e. can I change header_name to something else so that I can get the auth directly from the cookie?


    jwt:
    - name: JWTuser
      signature_algo: HS256
      signature_key: "your-256-bit-secret"
      user_claim: username
      roles_claim: roles 
      header_name: Authorization # CAN I CHANGE THIS FROM HEADER_NAME TO COOKIE NAME OR 
      # SOMETHING SIMILAR TO GET THE AUTH DIRECTLY FROM THE COOKIE?
5

what do you mean? I didn’t understand. What is the goal?