How to set authentication in kibana

Question

Is it possible to enable authentication in Kibana in order to restrict access to a dashboard to only be accessible to particular users?

Answer 1

Check this plugin named elasticsearch-readonlyrest. It allow easy access control, by authentication or ip/network, x-forwarded-for header and allows one to setup read-write or read-only access in kibana and limit indexes access per user. It is simple to setup and should give enough control for most people.

If more control is needed, you can use the search-guard, a free alternative to shield.

Answer 2

Old question but I wanted to add that there is an open source version of elk from aws. You might be able to use the plugin in the version from elastic.co. https://github.com/opendistro-for-elasticsearch/security

Answer 3

Kibana4 doesn't currently support this.

Answer 4

Kibana itself doesn't support authentication or restricting access to dashboards.

You can restrict access to Kibana 4 using nginx as a proxy in front of Kibana as described here: https://serverfault.com/a/345244. Just set proxy_pass to port 5601 and disable this port on firewall for others. This will completly enable or disable Kibana.

Elastic also has a tool called Shield which enables you to manage security of elasticsearch. With Shield you can for example allow someone to analyze data in specific indexes with read-only permissions. https://www.elastic.co/products/shield

---

Edit: Elastic has an issue on github and they recommend to use Shield.

1. Install Shield (plugin for elasticsearch) following these instructions
2. Configure roles for Kibana users
3. Configure Kibana to work with Shield

Remember Shield provides only index-level access control. That means user A will be able to see all dashboards but some of them will be empty (because he doesn't have access to all indices).

Answer 5

I have achieved authentication by installing haproxy.

1. Restrict kibana locally

$sudo nano /etc/kibana/kibana.yml

server.host: "localhost"

2.Install haproxy in same machine where kibana installed

$ sudo apt update && sudo apt install haproxy

$ sudo nano /etc/haproxy/haproxy.cfg

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode    http
option  httplog
option  dontlognull
    timeout connect 10m
    timeout client  10m
    timeout server  10m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

userlist UsersFor_Kibana
    user kibana insecure-password myPASSWORD

frontend localnodes
     bind *:80 
     mode http
     default_backend nodes

backend nodes 
   acl AuthOkay_Kibana http_auth(UsersFor_Kibana) 
   http-request auth realm Kibana if !AuthOkay_Kibana
   mode http
   balance roundrobin
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   option httpchk HEAD / HTTP/1.1\r\nHost:localhost
   server server1 127.0.0.1:5601 check

username :-"kibana" password :- "myPASSWORD"

When you browse http://IP:80 one pop-up ll come for authentication.