Add username/password ACL to kibana access


(Steffen Winther Sørensen) #1

Considering howto simplest add more that just IP ACL to protect access to a kibana instance without having to revert to graylog and having to swap current data in our custom indices for graylog server to understand, also latest graylog only support 1.7 <= ES < 2.x.

Anyone done something similar without applying Shields at ES level?


(Magnus Bäck) #2

I don't understand how this relates to Graylog, but can't you just run Kibana behind a reverse proxy and apply access control in your web server?


(Steffen Winther Sørensen) #3

Well just because graylog among other features support user managment and ACLs but lack other features.
Got few colleagues preferring graylog for their application, but I'll rather not.

Reverse proxy... maybe, something like this

I was thinking maybe it was possible to do 'npm install http-auth' and utilize that in kibana 4, as it should be a node.js app


(Steffen Winther Sørensen) #4

Think I'll use a reverse proxy and thus not tamper with std kibana JS code... for easy future patching kibana.


(Joe Fleming) #5

You probably shouldn't tinker with the Kibana source, for exactly that reason. The easiest solution is just to proxy Kibana behind an nginx or Apache or HAProxy or some other instance and just do your auth through that.

If you have a commercial subscription, Shield is an option too.


(Steffen Winther Sørensen) #6

Yeap agree.

Fooling around with a nginx proxy, I'm trying to mount kibana under en base path only kibana reponses like this:

{"type":"response","@timestamp":"2016-01-09T13:53:52+00:00","tags":[],"pid":5983,"method":"get","statusCode":404,"req":{"url":"/perf","method":"get","headers":{"connection":"upgrade","host":"","accept-encoding":"gzip, deflate","cookie":"BLKIPSID=3c5cffe3f6d17e1d1c742b34b5e6f35b","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9","accept-language":"en-us","cache-control":"max-age=0"},"remoteAddress":"10.45.69.13","userAgent":"10.45.69.13"},"res":{"statusCode":404,"responseTime":25,"contentLength":9},"message":"GET /perf 404 25ms - 9.0B"}

Even when I got this in kibana.yml:

server.basePath: "/perf"

should this be make kibana consider /perf as base?


(Steffen Winther Sørensen) #7

Hm requesting / seems to prefix internally with basepath:

GET / HTTP/1.0

HTTP/1.1 200 OK
x-app-name: kibana
x-app-version: 4.3.0
cache-control: no-cache
content-type: text/html
content-length: 227
accept-ranges: bytes
Date: Sat, 09 Jan 2016 14:10:41 GMT
Connection: close

<script>var hashRoute = '/perf/app/kibana';
var defaultRoute = '/perf/app/kibana';
var hash = window.location.hash;
if (hash.length) {
  window.location = hashRoute + hash;
} else {
   window.location = defaultRoute;
}</script>

(Steffen Winther Sørensen) #8

Doing rewrite in nginx along with kibana server.basePath does the trick!


(Joe Fleming) #9

Yeah, the basePath stuff is for when you're hosting Kibana under a given path, but it doesn't sound like that's what you're actually doing. The proxy is mounted at /perf, btu from Kibana's perspective, it's still running at /.

Glad you got it working, and thanks for sharing the solution.


(system) #10