Embed Kibana dashboard into other app

oskrdt · March 24, 2022, 6:00pm

I want to embed a kibana dashboard from an instance that is using ReadonlyREST to another application using iFrame, but I want to skip the authentication window on the exported dashboard so they don’t have to login again to view it.
I see Kibana has Anonymous access and embedding when using the integrated access control. Is there anything similar when using ReadonlyREST access control?

sscarduzio · March 25, 2022, 2:57pm

Hello @oskrdt,

Actually we can do something better than anonymous access: we can embed the authentication in the URL.

oskrdt · March 28, 2022, 4:37pm

Great! I’ll try that.
I just don’t understand how to use the roles and roles_claim to control the access from this section. Do you have any other doc link or can you explain me how that works?

sscarduzio · March 28, 2022, 6:05pm

Sorry about the crappy documentation about this. Will make it better, thanks for pointing out.

Let’s take this example JWT token, and imagine that your identity provider has produced it, and now the user agent is sending it in the “Authorization: Bearer <…>” header.

ReadonlyREST plugin will analyze the token and find the “claims” in the JWT token payload are:

{
  "sub": "1234567890",
  "hasName": "John Doe",
  "hasRoles": ["admins", "devops"],
  "iat": 1516239022
}

In ReadonlyREST you have configured the ACL like this:

readonlyrest:
    access_control_rules:
    - name: Valid JWT token with a admins role
      kibana_access: admin
      jwt_auth:
        name: "my_JWT_connector"
        roles: ["admins"]

    - name: Valid JWT token with a devops role
      kibana_access: rw
      jwt_auth:
        name: "my_JWT_connector"
        roles: ["devops"]

    jwt:
    - name: "my_JWT_connector"
      signature_algo: HMAC
      signature_key: "your_signature_min_256_chars"
      user_claim: "hasName"
      roles_claim: "hasRoles"

Notice that you declare a jwt connector called “my_JWT_connetor”, and then you reference it in the ACL blocks.

Notice also that “roles_claims” in the JWT connector definition is literally the JSON key where ReadonlyREST expects to find the array of strings representing the list of roles.

Whereas in the ACL block, you can restrict the match to only certain “roles”.

I hope this helps, let me know if you have more questions.