Kibana SSO and bypass Login?


(Roger Seth) #1

Hi,
In continuing with a successful integration of SSO and the Free ROR plugin - we have an additional requirement for hiding kibana apps. In a discussion with the devs and community - it was suggested to use the PRO version we are testing the PRO trial to achieve the same.

A straightforward question arises now that Kibana is fronted by an SSO redirect- how to disable the Login prompt when using the Kibana PRO license? Any documentation to suppress the kibana login prompt so we can continue to use the NGINX custom headers injected as discussed in another thread?


(Simone Scarduzio) #2

You can configure the Kibana plugin to bypass the login form and look for users identity using X-Forwarded-User header.

Just add to kibana.yml

readonlyrest_kbn.proxy_auth_passthrough: true

Another important thing when you delegate the authentication to a proxy, is the logout URL. Typically this is an external URL that invalidates the session, and you want the logout button in the bottom left of the Kibana UI to point there.

You can use another setting in kibana.yml:

readonlyrest_kbn.custom_logout_link: "https://proxy-url/logout"

This stuff is documented in the Kibana plugin documentation, together with other interesting features.


(Roger Seth) #3

Thanks!
I just installed the trial ROR License and setup the Kibana YM configurations as suggested. Previously, without the Kibana ROR - I was able to access the NGINX introduced custom headers correctly in ES:

[2018-05-25T09:20:23,994][INFO ][t.b.r.a.ACL              ] ALLOWED by { name: '::NGINX-RESTRICTED-GROUP::', policy: ALLOW} req={ ID:1943907203-488986116#293, TYP:GetRequest, CGR:N/A, USR:ABC123, BRS:false, KDX:null, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.4, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200, x-access-group=restricted, x-forwarded-user=ABC123}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [Global Write/Admin Access->[auth_key->false]], [Route53 Access->[x_forwarded_for->false]], [::NGINX-RESTRICTED-GROUP::->[kibana_access->true, headers->true, indices->true, proxy_auth->true, kibana_hide_apps->true]] }
[2018-05-25T09:20:26,132][INFO ][t.b.r.a.ACL              ]

However, after setting up ROR and setting up the readonlyrest proxy settings as suggested, I am still getting the Login Page with a FORBIDDEN 403 on the Kibana after attempting the SAME NGINX>Kibana Redirect.
It looks like ES Logs are now showing a new error and feels like the custom headers injected by NGINX after installing ROR are not being passed:

[2018-05-25T10:36:34,380][INFO ][t.b.r.a.ACL              ] FORBIDDEN by default req={ ID:2038995451-1543779375#12703, TYP:NodesInfoRequest, CGR:N/A, USR:ABC123, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{Connection=close, content-length=0, Host=localhost:9200, x-forwarded-user=ABC123}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [Global Write/Admin Access->[auth_key->false]], [Route53 Access->[x_forwarded_for->false]], [::NGINX-RESTRICTED-GROUP::->[kibana_access->true, headers->false, proxy_auth->true]], [::NGINX-READONLY-GROUP::->[headers->false, kibana_access->true, proxy_auth->true]], [::NGINX-READWRITE-GROUP::->[kibana_access->true, headers->false, proxy_auth->true]] }

This is my Kibana YML:

server.host: localhost
elasticsearch.url: http://localhost:9200
elasticsearch.username: "kibana"
elasticsearch.password: “kibana”

elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user, x-access-group ]
readonlyrest_kbn.proxy_auth_passthrough: true
readonlyrest_kbn.custom_logout_link: “https://localhost:5100/logout


(Simone Scarduzio) #4

Yep, I found the issue in the code of the Kibana plugin. The headers rule is a new thing, and the plugin was not sending across ALL the headers to ES. Just X-Forwarded-User.

Will fix this, and send you a patch tomorrow.


(Roger Seth) #5

thank you. I’ll await the build!