Provide Kibana Login Page for ROR OSS version

@askids thank you for bringing this up. I think you are right, it makes a ton of sense.
And by the way thanks for all your contributions to this community during the years. :partying_face:

Here, I put together a prototype of ReadonlyREST Free for Kibana:

readonlyrest_kbn_free
Get it while it’s hot :fire: :wink:

This is a free, yet stripped down version of ROR PRO. It represents a basic, but pretty complete end to end solution for a secure Kibana user experience.

Early 2020 ROR Kibana product lineup

All below capabilities rely on the installation of both Elasticsearch Free (or Embedded) and the respective Kibana ROR plugin editions.

We will add more features to Enterprise later during the year.

:star: Features included in ROR Free

  • Login form
  • Session management with encrypted cookies
  • Logout button
  • Clusterwide settings (only in demo mode)
  • Audit log demo dashboard (still WIP)
  • Login with JWT (as a header or query parameter)
  • Proxy passthrough mode (i.e. nginx + x-forwarded-user)
  • Read only mode: hides “save”, “delete” and other UI elements. Obviously also blocks API access accordingly.
  • LDAP backed authentication/authorization (HA mode, SSL “ldaps” mode included)

:star::star: Features that are in PRO

  • All features in Free :arrow_backward:
  • Full CSS/JS customisation of the login form
  • Full CSS/JS customisation of the Kibana UI (:new: previously only Enterprise!)
  • Hiding some Kibana apps to certain users or groups
  • Clusterwide security settings YAML editor for administrators from within Kibana

:star::star::star: Features only in ROR Enterprise:

  • All features in PRO :arrow_backward:
  • Kibana tenancy segregation: associate a different “.kibana” index to users or groups
  • Users or groups can hop between tenancies with a drop down menu
  • SAML SSO/SLO authentication and authorization (multiple servers supported)
  • Priority support (SLA guaranteed response time + private communication via email or forum PMs)
  • Soon more to come
2 Likes

This is fantastic. BTW, I am happy to contribute, whenever I get time :slight_smile:

But looks like I am late to get the link. I am getting SignatureDoesNotMatch error, when i was try downloading. Can you please provide a new link?

1 Like

Updated the link, should be working for a few days until we release the GA builds.

Thanks. Also, does the ROR Kibana plugin enforce same version matching like ES does for Kibana? For example, if I try this version readonlyrest_kbn_free-1.19.1-pre7_es7.5.0, should the ROR ES plugin version has to match or can I try with a different ROR version like 1.19.0 ? If it has to match, can you please also provide link to corresponding ROR ES plugin.

I think in this special case it will work ok, but we don’t guarantee the compatibility across versions, in general.

Great. I will try it and let you know. Thank you!

1 Like

I have ROR 1.19.0 on a test cluster with 7.5 with 2 nodes - one node has both ES and Kibana. Other just has ES. Both are on Windows 2012 R2. I installed the Kibana plugin and added kibana_access: admin, moved the ACL block to top of the list. This uses LDAP. After I enter the id/pwd and hit enter, i can see ALLOWED in the ES log file for this block. But I cant go beyond the the login page.

Once I hit enter, the URL in browser is updated to https://myurl:5601/login?nextUrl=/ and from here it spins forever. Am I missing any configuration?

I am seeing below error in Kibana error logs.

{"type":"error","@timestamp":"2020-02-14T22:54:48Z","tags":["warning","process"],"pid":8928,"level":"error","error":{"message":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)","name":"UnhandledPromiseRejectionWarning","stack":"UnhandledPromiseRejectionWarning: ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)\n    at emitWarning (internal/process/promises.js:81:15)\n    at emitPromiseRejectionWarnings (internal/process/promises.js:120:9)\n    at process._tickCallback (internal/process/next_tick.js:69:34)"},"message":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"}
{"type":"error","@timestamp":"2020-02-14T22:54:48Z","tags":["warning","process"],"pid":8928,"level":"error","error":{"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)","name":"UnhandledPromiseRejectionWarning","stack":"ReferenceError: kibanaTemplateIndex is not defined\n    at buildIdentityFromPayload (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:235:7)\n    at enrichFromES (D:\\Apps\\Program Files\\kibana-7.5.0-windows-x86_64\\plugins\\readonlyrest_kbn\\server\\routes\\lib/identityManager.js:247:21)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"message":"Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)"}

Thanks!

Hi, no it’s a bug. I updated the link in the same post with the pre9

@sscarduzio thanks for the quick fix. But you had originally provided the plugin for 7.5.0 (even though link said 7.5.2). Can you please provide the updated version built for 7.5.0?

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.19.1-pre9/free/readonlyrest_kbn_free-1.19.1-pre9_es7.5.0.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20200215/eu-west-1/s3/aws4_request&X-Amz-Date=20200215T115802Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=7589f51320ede34cb71d1840fcfdadefd7028fb97a8e6aaf27a132497d9fe82e

I am able to login now. Will take it for a spin. Quick question, can I use kibana_hide_apps in the free version? I am asking it mainly for plugin app as I want that to be visible only to admin.

Also, the logout button is only visible, when i go to ROR app and appears on right bottom as a standalone button. Shouldn’t the logout button be always visible on left bottom irrespective of which app the user is currently in?

Planning to add below 3 to kibana.yml
readonlyrest_kbn.whitelistedPaths: [".*/api/status$"]
readonlyrest_kbn.cookiePass: “generatedStringIn1step”
readonlyrest_kbn.store_sessions_in_index: true

Also need to move admin to top and add kibana_access: ro to all users who shouldn’t have access to other. Anything else that I am missing?

The app hiding is not in Free, but is there in PRO and Enterprise.
The logout button visibility is a bug. Will fix.
The settings look ok.

@sscarduzio Should I always have 2 blocks - one for kibana_access without any indices/action and 2nd block (already existing entry) for the indices/action?

Also, when is the logout button fix is planned?

I already fixed the button issue earlier today.
About the settings advice, show me your settings, and tell me what you want to achieve. Maybe in another topic?

Sure. I will create a separate topic for the Kibana ROR settings.

BTW, when is the logout button fix planned to be released? I am assuming that it will be part of 1.19.2. We are in between upgrading ES. So trying to figure out, if I should wait for a version with support for 7.6 or should I just wait for the logout button fix on lower version (7.5.2). Please let me know so that I can plan accordingly.

Thanks!

1.19.2 is just been released! 7.6.0 failed to build somehow, but I will have a look and it will be soon available.

EDIT: now available

Thanks @sscarduzio. I will give it a try tomorrow.

I just tried it with 7.6.0. Now the button is always visible irrespective of which app, user is on.

But its coming on the right bottom section of the page. Is this expected? Shouldn’t it be on the left bottom?

1 Like

Only for very old versions. You might have be misguided by our old screenshots. Sorry.

Yes. I was going by the old screenshot :slight_smile: . Now that Kibana always collapses the left side panel, it makes sense to move it out from that panel.

But I had a slightly different opinion. Currently, it is positioned on right bottom (almost looking like a floating button). I know that it can be further collapsed as well. But in many cases, it may appears on top of dashboard, which doesn’t seem to be good user experience. Can you please look at adding it to right top (either as highlighted or after the mail icon) ?

Also, if you choose to retain the color scheme on the button, you may want to update it to match the corresponding Kibana’s color scheme. I think the current color matches v5 color. V6 and above has it bit more darker :smiley:

Also, one other issue that I found, not related to ROR, but Kibana plugins in general for v7.6. Not sure, if this is from a recent change or whether this issue was always there. For ES plugin, we could run elasticsearch-plugin install command from anywhere by giving the full path. However for Kibana plugin, it expects to run the corresponding kibana-plugin command from Kibana home folder only. If we try to execute it like ES-plugin command with full path, it throws an error and will fail during plugin install. So either we need to do change directory to Kibana home or set Kibana home folder as working folder before executing the bin\kibana-plugin command. If this is from a recent release, it may be better to add this to Kibana plugin documentation.

Thanks!