User authentication issues with Kibana

pk.241011 · March 17, 2017, 5:30am

Hi,
I am trying out the wonderful plugin you have written. Kudos.

There is one thing which I am not able to work.
I tried to allow kibana full access granted via HTTP authentication as per your documentation. This was the initial configuration. The last block is the one for kibana.

readonlyrest:
 enable: true
 response_if_req_forbidden: Access denied!!!

 access_control_rules: 

- name: "Accept all requests from localhost"
  type: allow
  hosts: [XX.XX.XX.XX]

- name: "::Log user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["indices:data/write/*"]
  indices: ["log-*"]

- name: "::Kibana user::"
  auth_key_sha256: ** 
  type: allow

But this did not work.

log [04:47:37.764] [info][status][plugin:kibana@5.2.2] Status changed from uninitialized to green - Ready
log [04:47:37.811] [info][status][plugin:elasticsearch@5.2.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [04:47:37.852] [error][status][plugin:elasticsearch@5.2.2] Status changed from yellow to red - Authentication Exception
log [04:47:38.092] [info][status][plugin:timelion@5.2.2] Status changed from uninitialized to green - Ready
log [04:47:38.102] [info][listening] Server running at http://blahblah:5601
log [04:47:38.103] [error][status][ui settings] Status changed from uninitialized to red - Elasticsearch plugin is red

So I had to explicitly give all the permissions as below

readonlyrest:
enable: true
response_if_req_forbidden: Access denied!!!

access_control_rules: 

- name: "Accept all requests from localhost"
  type: allow
  hosts: [XX.XX.XX.XX]

- name: "::Log user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["indices:data/write/*"]
  indices: ["log-*"]

- name: "::Kibana user::"
  auth_key_sha256: ** 
  type: allow
  actions: ["cluster:*", "indices:*"]
  indices: [".kibana*","log-*"]

Am I doing something wrong?

sscarduzio · March 17, 2017, 2:16pm

Use kibana_access: rw for allowing browsers to login.

Remember to configure kibana.yml with the credentials of a full access user (find the example in GitHub Readme.md)

If stuff is not working, the output of Elasticsearch log will have plenty of information on what block and what rules have matched (HST field)

Finally, once you make this work, remember to configure HTTPS because basic auth has clear text credentials.

pk.241011 · April 4, 2017, 5:24am

It is working now. I wrote a small blog post (link) on my specfic use case of creating user for creating index and pushing data into it only. And giving that user no other privileges including read privileges.

sscarduzio · April 4, 2017, 2:54pm

Awesome! Thanks for blogging this

BTW, even if it works right now, I still believe you should have used:

    kibana_access: rw
    indices: [".kibana*", "log-*"]

instead of:

    actions: ["cluster:*", "indices:*"]
    indices: [".kibana*","log-*"]`

Because the kibana_access would limit access to just read actions to indices other than “.kibana”.

pk.241011 · April 5, 2017, 1:19am

Thanks for that. Updated the blog. Just wanted to confirm one thing.

This mean that it has read-write access to kibana indices and read-only access to others.
Right?
What happens to indices like “NotMatching-3434”. I guess these will not show up for this particular user.

presto9292 · April 5, 2017, 6:48am

@pk.241011
I noticed you have this

name: “Accept all requests from localhost”
type: allow
hosts: [XXX.XX.XXX.XXX]

If kibana is on same host as ES wouldn’t this shortcut all other rules ?
I would expect no basic authentication popup because all browser initiated requests to ES will show origin 127.0.0.1 regardless of index or usr due to kibana’s proxying

sscarduzio · April 5, 2017, 10:37am

that is correct, other indices whose name don’t match any string or wildcard in the the indices rule will never be returned. If tried to be accessed specifically, a 403 or 401 HTTP status code will be returned (and no content of course)

pk.241011 · April 5, 2017, 3:39pm

@presto9292 Yeah that is right but in my case Kibana is not running on the machines running Elasticsearch.

sscarduzio · April 5, 2017, 4:34pm

You should have configured the Kibana basic auth and added an auth_key_sha256 to the block for the Kibana daemon

pk.241011 · April 5, 2017, 4:50pm

Yes I missed out on that one totally. Initial testing was done with kibana running on same box and elasticsearch. Fixed it in blog. Now added the kibana daemon section. Documentation can do with some improvements. Let me know if you want some help.