Provide Kibana Login Page for ROR OSS version

This idea is coming out of an issue that was recently encountered due to change in ROR behavior on how not authorized cases are handled in version 1.19.0. Though the awesome ROR team is anyway fixing that issue in the ROR OSS version, that thread raised a genuine point on why shouldn’t ROR make the login page available in the OSS version. So i am throwing out that idea here instead of tracking it on other thread, so that this request can be tracked separately and others can chime in.

To give some background, till version 6.8.0, Elasticsearch team treated security as a premium feature and did not ship it with their core product. It was part of their X-Pack subscription. This meant that unless you had one of the Gold/Platinum/Enterprise subscription and still wanted to secure your cluster, you had to rely on setting up reverse proxy or 3rd party plugins like ROR and Searchguard (to name a few) to ensure that your clusters are secure. Both ROR and Searchguard also provided different flavors of their plugins (starting from free to different commercial license models) to meet different customer needs.

If you Google, you will find several instances of Elasticsearch security breach and ransom attack that was purely attributed to people running unsecured clusters. Though multiple such instances itself did not push Elasticsearch to make security available as a core feature of their free version, the arrival of Open Distro for Elasticsearch and Elasitc’s own push for cloud offerings and direct competition with AWS Elasticsearch seems to have made the difference in their decision making. (I fully take the responsibility of stating that this may be pure conjecture on my part as I am not privy to their decision making process , but I have strong reasons to believe that this was case, irrespective what reasons are publicly stated).

Now irrespective of how they arrived at this decision, it was a good decision from Elasticsearch community perspective that Elasticsearch started shipping with security with their basic license (which is free for lifetime), which also includes a login page in Kibana. Open distro also ships with security plugin which comes with login page for Kibana. So the logical question was is it too much to ask for ROR to have the Kibana login page also made available for the OSS version?

I know that its available in the pro version of the Kibana plugin. But pro version has several other features. But given that core product plus competition is providing the login page with their free versions, does it make sense for ROR not to treat having login page as a vanity feature (this may have been a differentiator 3 years back) and make it available with the OSS version?

I am not going to get greedy and ask for too many features to be included with the free Kibana plugin and will leave that decision making in the capable hands of the ROR team to decide what all they want to include with it. For the time being, I am limiting my request to providing the login page and next step of integration with Kibana so that it receives the id/pwd for further use.

As an added bonus, I believe that having this login page will most probably allow @sscarduzio to close this 4 year old issue that elastic never addressed in Kibana.

Thanks!

Example

Existing login page from Kibana Pro is good enough

Let’s do this?

@askids thank you for bringing this up. I think you are right, it makes a ton of sense.
And by the way thanks for all your contributions to this community during the years.

Here, I put together a prototype of ReadonlyREST Free for Kibana:

readonlyrest_kbn_free
Get it while it’s hot

This is a free, yet stripped down version of ROR PRO. It represents a basic, but pretty complete end to end solution for a secure Kibana user experience.

Early 2020 ROR Kibana product lineup

All below capabilities rely on the installation of both Elasticsearch Free (or Embedded) and the respective Kibana ROR plugin editions.

We will add more features to Enterprise later during the year.

Features included in ROR Free

• Login form
• Session management with encrypted cookies
• Logout button
• Clusterwide settings (only in demo mode)
• Audit log demo dashboard (still WIP)
• Login with JWT (as a header or query parameter)
• Proxy passthrough mode (i.e. nginx + x-forwarded-user)
• Read only mode: hides “save”, “delete” and other UI elements. Obviously also blocks API access accordingly.
• LDAP backed authentication/authorization (HA mode, SSL “ldaps” mode included)

Features that are in PRO

• All features in Free
• Full CSS/JS customisation of the login form
• Full CSS/JS customisation of the Kibana UI ( previously only Enterprise!)
• Hiding some Kibana apps to certain users or groups
• Clusterwide security settings YAML editor for administrators from within Kibana

Features only in ROR Enterprise:

• All features in PRO
• Kibana tenancy segregation: associate a different “.kibana” index to users or groups
• Users or groups can hop between tenancies with a drop down menu
• SAML SSO/SLO authentication and authorization (multiple servers supported)
• Priority support (SLA guaranteed response time + private communication via email or forum PMs)
• Soon more to come

This is fantastic. BTW, I am happy to contribute, whenever I get time

But looks like I am late to get the link. I am getting SignatureDoesNotMatch error, when i was try downloading. Can you please provide a new link?

Updated the link, should be working for a few days until we release the GA builds.

Thanks. Also, does the ROR Kibana plugin enforce same version matching like ES does for Kibana? For example, if I try this version readonlyrest_kbn_free-1.19.1-pre7_es7.5.0, should the ROR ES plugin version has to match or can I try with a different ROR version like 1.19.0 ? If it has to match, can you please also provide link to corresponding ROR ES plugin.

I think in this special case it will work ok, but we don’t guarantee the compatibility across versions, in general.

Great. I will try it and let you know. Thank you!

I have ROR 1.19.0 on a test cluster with 7.5 with 2 nodes - one node has both ES and Kibana. Other just has ES. Both are on Windows 2012 R2. I installed the Kibana plugin and added kibana_access: admin, moved the ACL block to top of the list. This uses LDAP. After I enter the id/pwd and hit enter, i can see ALLOWED in the ES log file for this block. But I cant go beyond the the login page.

Once I hit enter, the URL in browser is updated to https://myurl:5601/login?nextUrl=/ and from here it spins forever. Am I missing any configuration?

I am seeing below error in Kibana error logs.

{"type":"error","@timestamp":"2020-02-14T22:54:48Z","tags":["warning","process"],"pid":8928,"level":"error","error":{"message":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)","name":"UnhandledPromiseRejectionWarning","stack":"UnhandledPromiseRejectionWarning: ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)\n    at emitWarning (internal/process/promises.js:81:15)\n    at emitPromiseRejectionWarnings (internal/process/promises.js:120:9)\n    at process._tickCallback (internal/process/next_tick.js:69:34)"},"message":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"}
{"type":"error","@timestamp":"2020-02-14T22:54:48Z","tags":["warning","process"],"pid":8928,"level":"error","error":{"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)","name":"UnhandledPromiseRejectionWarning","stack":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)"}

Thanks!

Hi, no it’s a bug. I updated the link in the same post with the pre9

@sscarduzio thanks for the quick fix. But you had originally provided the plugin for 7.5.0 (even though link said 7.5.2). Can you please provide the updated version built for 7.5.0?

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.19.1-pre9/free/readonlyrest_kbn_free-1.19.1-pre9_es7.5.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20200215/eu-west-1/s3/aws4_request&X-Amz-Date=20200215T115802Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=7589f51320ede34cb71d1840fcfdadefd7028fb97a8e6aaf27a132497d9fe82e

I am able to login now. Will take it for a spin. Quick question, can I use kibana_hide_apps in the free version? I am asking it mainly for plugin app as I want that to be visible only to admin.

Also, the logout button is only visible, when i go to ROR app and appears on right bottom as a standalone button. Shouldn’t the logout button be always visible on left bottom irrespective of which app the user is currently in?

Planning to add below 3 to kibana.yml
readonlyrest_kbn.whitelistedPaths: [".*/api/status$"]
readonlyrest_kbn.cookiePass: “generatedStringIn1step”
readonlyrest_kbn.store_sessions_in_index: true

Also need to move admin to top and add kibana_access: ro to all users who shouldn’t have access to other. Anything else that I am missing?

The app hiding is not in Free, but is there in PRO and Enterprise.
The logout button visibility is a bug. Will fix.
The settings look ok.

@sscarduzio Should I always have 2 blocks - one for kibana_access without any indices/action and 2nd block (already existing entry) for the indices/action?

Also, when is the logout button fix is planned?

I already fixed the button issue earlier today.
About the settings advice, show me your settings, and tell me what you want to achieve. Maybe in another topic?

Sure. I will create a separate topic for the Kibana ROR settings.

BTW, when is the logout button fix planned to be released? I am assuming that it will be part of 1.19.2. We are in between upgrading ES. So trying to figure out, if I should wait for a version with support for 7.6 or should I just wait for the logout button fix on lower version (7.5.2). Please let me know so that I can plan accordingly.

Thanks!

1.19.2 is just been released! 7.6.0 failed to build somehow, but I will have a look and it will be soon available.

EDIT: now available

Thanks @sscarduzio. I will give it a try tomorrow.

I just tried it with 7.6.0. Now the button is always visible irrespective of which app, user is on.

But its coming on the right bottom section of the page. Is this expected? Shouldn’t it be on the left bottom?

Only for very old versions. You might have be misguided by our old screenshots. Sorry.