User authentication issues with Kibana


(PK) #1

Hi,
I am trying out the wonderful plugin you have written. Kudos.

There is one thing which I am not able to work.
I tried to allow kibana full access granted via HTTP authentication as per your documentation. This was the initial configuration. The last block is the one for kibana.

readonlyrest:
 enable: true
 response_if_req_forbidden: Access denied!!!

 access_control_rules: 

- name: "Accept all requests from localhost"
  type: allow
  hosts: [XX.XX.XX.XX]

- name: "::Log user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["indices:data/write/*"]
  indices: ["log-*"]

- name: "::Kibana user::"
  auth_key_sha256: ** 
  type: allow

But this did not work.

log [04:47:37.764] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
log [04:47:37.811] [info][status][plugin:[email protected]] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [04:47:37.852] [error][status][plugin:[email protected]] Status changed from yellow to red - Authentication Exception
log [04:47:38.092] [info][status][plugin:[email protected]] Status changed from uninitialized to green - Ready
log [04:47:38.102] [info][listening] Server running at http://blahblah:5601
log [04:47:38.103] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red

So I had to explicitly give all the permissions as below

readonlyrest:
enable: true
response_if_req_forbidden: Access denied!!!

access_control_rules: 

- name: "Accept all requests from localhost"
  type: allow
  hosts: [XX.XX.XX.XX]

- name: "::Log user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["indices:data/write/*"]
  indices: ["log-*"]

- name: "::Kibana user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["cluster:*", "indices:*"]
  indices: [".kibana*","log-*"]

Am I doing something wrong?


(Simone Scarduzio) #2

Use kibana_access: rw for allowing browsers to login.

Remember to configure kibana.yml with the credentials of a full access user (find the example in GitHub Readme.md)

If stuff is not working, the output of Elasticsearch log will have plenty of information on what block and what rules have matched (HST field)

Finally, once you make this work, remember to configure HTTPS because basic auth has clear text credentials.


(PK) #3

It is working now. I wrote a small blog post (link) on my specfic use case of creating user for creating index and pushing data into it only. And giving that user no other privileges including read privileges.


(Simone Scarduzio) #4

Awesome! Thanks for blogging this :slight_smile:

BTW, even if it works right now, I still believe you should have used:

    kibana_access: rw
    indices: [".kibana*", "log-*"]

instead of:

    actions: ["cluster:*", "indices:*"]
    indices: [".kibana*","log-*"]`

Because the kibana_access would limit access to just read actions to indices other than “.kibana”.


(PK) #5

Thanks for that. Updated the blog. Just wanted to confirm one thing.

This mean that it has read-write access to kibana indices and read-only access to others.
Right?
What happens to indices like “NotMatching-3434”. I guess these will not show up for this particular user.


#6

@pk.241011
I noticed you have this

  • name: "Accept all requests from localhost"
    type: allow
    hosts: [XXX.XX.XXX.XXX]

If kibana is on same host as ES wouldn’t this shortcut all other rules ?
I would expect no basic authentication popup because all browser initiated requests to ES will show origin 127.0.0.1 regardless of index or usr due to kibana’s proxying


(Simone Scarduzio) #7

that is correct, other indices whose name don’t match any string or wildcard in the the indices rule will never be returned. If tried to be accessed specifically, a 403 or 401 HTTP status code will be returned (and no content of course)


(PK) #8

@presto9292 Yeah that is right but in my case Kibana is not running on the machines running Elasticsearch.


(Simone Scarduzio) #9

You should have configured the Kibana basic auth and added an auth_key_sha256 to the block for the Kibana daemon


(PK) #10

Yes I missed out on that one totally. Initial testing was done with kibana running on same box and elasticsearch. Fixed it in blog. Now added the kibana daemon section. Documentation can do with some improvements. Let me know if you want some help.