Make Kibana read only for domain other than localhost

I am running a very basic Elastic and Kibana stack (latest 5.4.2 version). Both run on the default address, localhost:9200 and localhost:5601. This is on a dedicated debian server.

We also have nginx installed, which is setup as reverse proxy. So metrics.myproject.com (example) actually loads localhost:5601.

I have successfully installed the readonlyrest ES (free) plugin, with matching version. When Elastic starts, I can see in its log, that the plugin and rule blocks are loaded. What I have as rules are from the doc sample:

readonlyrest:
access_control_rules:

- name: "Block 1 - Allowing anything from localhost"
  hosts: [127.0.0.1]

- name: "Block 2 - Other hosts can only read certain indices"
  actions: ["indices:data/read/*"]
  indices: ["logstash-*"] # aliases are taken in account!

Of course the indices are changed to what I have in ES.

Question:

If I visit my Kibana dashboard through the metrics.myproject.com, it is not read only. I can still edit/save visualizations and dashboards.

My guess is that this is due to the fact that Kibana itself runs on localhost:5601, so all requests going to Elastic are coming from localhost which is allowed all access.

What do I need to change in my setup to:

1; make Kibana through metrics.myproject.com read only?
2 enter the server/dashboard through shh and localhost:5601, and keep its full access?

Thanks.

If you use a reverse proxy, all the HTTP traffic will appear coming from localhost.
I would say in your setup you don’t benefit of using the hosts rule at all, as everything comes from localhost.

So remove this:

Let the Kibana server log in with its own set of credentials using auth_key_sha256 rule.
Let the browsers log in using their own credentials too. Just stay away from hosts rule.

Thanks for the quick reply! Are there any examples around? I think I can manage the Kibana server log in, I will just need to add this to the kibana.yml right? And than add this to the readonlyrest config in elasticsearch.yml? If you have an example, what to change where, it would really help me.

As for the second part, can I put that on nginx?

See this example, it’s perfect for your case.

Yes, you can delegate authentication to Nginx so that it propagates the identity of the authenticated user as a extra header, then you can create ACL blocks based on that identity using proxy_auth.

You can forward even more information from Nginx if you have it, pass it in the headers and then use dynamic variables in your rules…

But you dont have to use Nginx to authenticate users, ReadonlyREST handles users and groups internally and has a lot of possibilities to hook up with external authentication and authorization systems…

Thank you so much for your help so far. I am going to look into that use case you linked to, it makes sense looking at it. I’ll let you know when I’m successful in setting this up.

I have the configuration in place and it works like a charm. I had to replace the logstash indices with my own. I also had to add the kibana user to my bash/python script(s) which are scheduled to load data into elastisearch.

I’m going to do some testing, then replace auth_key with auth_key_sha256 and I should be all up and running and ready to open up the full dashboard.

Quick question: Do you have any idea why I have to login twice, through the browser? For RW or RO access.

1 Like

This is a known bug in Kibana core. The problem is they don’t have any motivation to fix it because x-pack uses cookies to authenticate browsers.

And this is one of the big reasons we started the development of the Kibana plugin (ReadonlyREST PRO) which for the project was a really healthy decision because it opened up a nice green field for more features and innovation.

Hi @anon539667

I have set up of Elastic Search and Kibana and prepared different monitoring dashboard. So how can i lock my dashboard so dashboard is visible to all and even they can apply filters and visualize but it shouldn’t change original dashboard so when they open dashboard again it should be the original one. It would be helpful if you can help me to resolve this as i think you have already implemented that in your project. Thank You in advance. - Sam

Hello @Sam

I followed the use case available at GitHub - sscarduzio/elasticsearch-readonlyrest-plugin: Free Elasticsearch security plugin and Kibana security plugin: super-easy Kibana multi-tenancy, Encryption, Authentication, Authorization, Auditing.

I did not use the SSL and Logstash blocks, but all the rest. Notice the KIBANA-SRV with user:password both kibana. You will need to set a user and password in your kibana.yml. Then of course also for the RW and RO blocks.

I setup an nginx reverse proxy for the read-only access, linking to the RO block. You can have nginx pass that authentication (see How to use nginx to proxy to a host requiring authentication? - Server Fault).

I have VPN access to the server, so I can access the dashboard through localhost:5601 which will give me the auth popup, so I can enter the RW credentials. Everyone else (public) goes through an url and the reverse proxy, and logs in automatically.

That RO block then puts all dashboards in read-only.

Does all of this make sense?

1 Like

Hi @anon539667
Thank you for replying promptly. That makes alot of sense. So how did you setup nginx reverse proxy for read only? I have installed nginx and now what should be change in nginx.conf file to make it read only?
Thanks in advance
Sam

Here is an example for your nginx config: How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 14.04 | DigitalOcean

Check the second link (servervault) in my previous post, to add the line that adds the http auth to this config.

Nginx only directs traffic to your kibana dashboard, and adds the read only credentials. The Read only Rest plugin contains the authentication to actually put kibana in read only mode. It depends on those credentials nginx passes on.

tip: use safe passwords (sha_265), the plugin supports this

2 Likes

@hepamela I have the feeling that @anon539667’s solution would be nice for your embedded dashboards. You could proxy the embeddable URLs via nginx which will inject RO credentials. What do you think?

@anon539667 Thank you so much. I will try to implement as you advised and will get back to you if I have further question :slight_smile:

1 Like

Hi @sscarduzio @anon539667,

They pass the authorization through the header but they don’t use the ror Kibana api. We’ve tried but we only get the login page and We need to pass it through the Kibana api and get the Iframe.

How can we do this with Nginx, Thanks.

Oh yeah, you’re right, you’d have to inject the cookie header rather than the authorization header. Still possible!