问题
Is it possible to enable authentication in Kibana in order to restrict access to a dashboard to only be accessible to particular users?
回答1:
Kibana itself doesn't support authentication or restricting access to dashboards.
You can restrict access to Kibana 4 using nginx as a proxy in front of Kibana as described here: https://serverfault.com/a/345244. Just set proxy_pass to port 5601 and disable this port on firewall for others. This will completly enable or disable Kibana.
Elastic also has a tool called Shield which enables you to manage security of elasticsearch. With Shield you can for example allow someone to analyze data in specific indexes with read-only permissions. https://www.elastic.co/products/shield
Edit: Elastic has an issue on github and they recommend to use Shield.
- Install Shield (plugin for elasticsearch) following these instructions
- Configure roles for Kibana users
- Configure Kibana to work with Shield
Remember Shield provides only index-level access control. That means user A will be able to see all dashboards but some of them will be empty (because he doesn't have access to all indices).
回答2:
Check this plugin named elasticsearch-readonlyrest. It allow easy access control, by authentication or ip/network, x-forwarded-for header and allows one to setup read-write or read-only access in kibana and limit indexes access per user. It is simple to setup and should give enough control for most people.
If more control is needed, you can use the search-guard, a free alternative to shield.
回答3:
Kibana4 doesn't currently support this.
回答4:
I have achieved authentication by installing haproxy.
- Restrict kibana locally
$sudo nano /etc/kibana/kibana.yml
server.host: "localhost"
2.Install haproxy in same machine where kibana installed
$ sudo apt update && sudo apt install haproxy
$ sudo nano /etc/haproxy/haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 10m
timeout client 10m
timeout server 10m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
userlist UsersFor_Kibana
user kibana insecure-password myPASSWORD
frontend localnodes
bind *:80
mode http
default_backend nodes
backend nodes
acl AuthOkay_Kibana http_auth(UsersFor_Kibana)
http-request auth realm Kibana if !AuthOkay_Kibana
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server server1 127.0.0.1:5601 check
username :-"kibana" password :- "myPASSWORD"
When you browse http://IP:80 one pop-up ll come for authentication.
回答5:
Old question but I wanted to add that there is an open source version of elk from aws. You might be able to use the plugin in the version from elastic.co. https://github.com/opendistro-for-elasticsearch/security
来源:https://stackoverflow.com/questions/30138936/how-to-set-authentication-in-kibana