I want to embed a kibana dashboard from an instance that is using ReadonlyREST to another application using iFrame, but I want to skip the authentication window on the exported dashboard so they don’t have to login again to view it.
I see Kibana has Anonymous access and embedding when using the integrated access control. Is there anything similar when using ReadonlyREST access control?
Hello @oskrdt,
Actually we can do something better than anonymous access: we can embed the authentication in the URL.
Great! I’ll try that.
I just don’t understand how to use the roles
and roles_claim
to control the access from this section. Do you have any other doc link or can you explain me how that works?
Sorry about the crappy documentation about this. Will make it better, thanks for pointing out.
Let’s take this example JWT token, and imagine that your identity provider has produced it, and now the user agent is sending it in the “Authorization: Bearer <…>” header.
ReadonlyREST plugin will analyze the token and find the “claims” in the JWT token payload are:
{
"sub": "1234567890",
"hasName": "John Doe",
"hasRoles": ["admins", "devops"],
"iat": 1516239022
}
In ReadonlyREST you have configured the ACL like this:
readonlyrest:
access_control_rules:
- name: Valid JWT token with a admins role
kibana_access: admin
jwt_auth:
name: "my_JWT_connector"
roles: ["admins"]
- name: Valid JWT token with a devops role
kibana_access: rw
jwt_auth:
name: "my_JWT_connector"
roles: ["devops"]
jwt:
- name: "my_JWT_connector"
signature_algo: HMAC
signature_key: "your_signature_min_256_chars"
user_claim: "hasName"
roles_claim: "hasRoles"
Notice that you declare a jwt connector called “my_JWT_connetor”, and then you reference it in the ACL blocks.
Notice also that “roles_claims” in the JWT connector definition is literally the JSON key where ReadonlyREST expects to find the array of strings representing the list of roles.
Whereas in the ACL block, you can restrict the match to only certain “roles”.
I hope this helps, let me know if you have more questions.