2

I would like to require auth_basic nginx authentication to save all kibana 4 dashboards but allow anyone to view dashboards without authentication.

I recently installed an ELK (Elasticsearch 1.4.5, Logstash 1:1.5.2-1, and Kibana 4.1.1) stack on Ubuntu 14.04 using a DigitalOcean tutorial.

Because kibana uses browser based javascript to sends queries to elasticsearch, I'm not sure how to figure out what to secure.

DigitalOcean provides an nginx config to fully secure access to kibana 4.

FILE:/etc/nginx/sites-available/default
server {
    listen      80;
    return 301 https://logstash.nyc.3top.com;
}
server {
    listen 443;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    server_name logstash.example.com;
    access_log /var/log/nginx/kibana.access.log;

    auth_basic "Restricted Access";
    auth_basic_user_file /etc/nginx/htpasswd.users;

    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Elastic provided an nginx sample config to accomplish this for Kibana 3 but not Kibana 4: 

server {
  listen                *:80 ;

  server_name           kibana.myhost.org;
  access_log            /var/log/nginx/kibana.myhost.org.access.log;

  location / {
    root  /usr/share/kibana3;
    index  index.html  index.htm;
  }

  location ~ ^/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_aliases$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/_nodes$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_search$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }
  location ~ ^/.*/_mapping {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }

  # Password protected end points
  location ~ ^/kibana-int/dashboard/.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
    }
  }
  location ~ ^/kibana-int/temp.*$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
    limit_except GET {
      proxy_pass http://127.0.0.1:9200;
      auth_basic "Restricted";
      auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd;
    }
  }
}

Does anyone know how to do this for Kibana 4?

Here is are my config files for elasticsearch and kibana:

/etc/elasticsearch/elasticsearch.yml

network.host: localhost

/opt/kibana/config/kibana.yml

port: 5601
host: "localhost"
elasticsearch_url: "http://localhost:9200"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
default_app_id: "discover"
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
bundled_plugin_ids:
 - plugins/dashboard/index
 - plugins/discover/index
 - plugins/doc/index
 - plugins/kibana/index
 - plugins/markdown_vis/index
 - plugins/metric_vis/index
 - plugins/settings/index
 - plugins/table_vis/index
 - plugins/vis_types/index
 - plugins/visualize/index
Peter M
  • 953
  • 2
  • 14
  • 27

2 Answers2

1

Have a look at SearchGuard. It’s like Elastic’s security add-on, but free.

Basically, there is no simple way to do this with Kibana 4 without having authentication more integrated into Elasticsearch and Kibana.

Cameron Kerr
  • 3,919
  • 18
  • 24
0

If log saving is done via POST, you can just require authentication on all POST requests. From another Server Fault answer:

limit_except GET HEAD {
    auth_basic 'Restricted';
    auth_basic_user_file /path/to/userfile;
}
Community
  • 1
Zach B.
  • 1
  • 1
  • Thanks for the suggestion -- unfortunately there are several "read only" functions such as search and application of filters that require a POST. – Peter M Jul 14 '15 at 14:00