Anonymous Kibana Users

caitlyn.carlisle · April 14, 2021, 12:35am

I am attempting to add anonymous users to view my Kibana dashboards but it is giving me this error when I attempt to edit the elasticsearch.yml file.

Additionally, will adding this feature allow the dashboard to completely bypass the login page or will it just allow an anonymous user option?

warkolm · April 14, 2021, 12:39am

Are you using Elastic Cloud here?

caitlyn.carlisle · April 14, 2021, 12:45am

Yes!

warkolm · April 14, 2021, 12:54am

Just to confirm, you followed Enabling anonymous access | Elasticsearch Guide [7.12] | Elastic to set this up?

What version are you running?

caitlyn.carlisle · April 14, 2021, 12:58am

Yes, I copied that over to the .yml file and changed the roles to be the proper roles but it gave me those errors.

7.12

If I currently haven't upgraded from the trial could that be why? I am just trying to ensure it is all set up before we set up the payment.

warkolm · April 14, 2021, 12:59am

Huh that's odd, it's not listed as a restricted setting - Restrictions and known problems | Elasticsearch Service Documentation | Elastic

I'll see what I can dig up.

caitlyn.carlisle · April 14, 2021, 1:01am

Thank you for your help!

stephenb · April 14, 2021, 1:36am

Hi @caitlyn.carlisle and @warkolm

Today anonymous access is not supported (not possible) in Elastic Cloud there is however a workaround that has been documented.

See Here this is written by one of our more well versed team members

UPDATE : @caitlyn.carlisle Let us take a little closer look there may be another way I will take a another look and get back.

stephenb · April 14, 2021, 2:18am

@caitlyn.carlisle

Ok we have it

If I understand correctly, What you want to accomplish is enable the ability for a user to anonymous login to view Kibana dashboards etc. That is supported in Elastic Cloud, what is not supported is underlying anonymous access to elasticsearch. That is where the confusion lay.

So this is how you do it.

Reference Here.. and there is even a little video on it here . Note the docs link to 7.11 so make sure you use the latest.

First create the user and role as you would via Kibana.

Then add the setting to the kibana.yml

xpack.security.authc.providers:
  basic.basic1:       <!-- This is the normal login
    order: 0  
  anonymous.anonymous1:  <!-- This is the anonymous login
    order: 1
    credentials:
      username: "test"
      password: "askldjfhaslkdjf1654"

Then you should be able to get a login with this

I set up to see Discover

Let us know if that works...

caitlyn.carlisle · April 19, 2021, 2:54pm

Yes, thank you so much for your help! I was able to implement it!

Elfrida · April 20, 2021, 8:48am

Thank you for your patience and support

alfredo.deluca · April 20, 2021, 10:43am

Hi there. We had the same issue as Caitlyn. So If I want to share a dashboard with iframe code added in a web server or, as in our case, in Microsoft sharepoint page we won't be able to do it without an account and without going through the anonymous/guest user in Elastic Cloud?

We have the same Elastic Cloud 7.12

Cheers

arora2deepak · April 20, 2021, 10:55am

Thanks for the clarification.

stephenb · April 20, 2021, 1:51pm

So that is a slightly different area where I am not as much as an expert , but yes if you want to provide content anonymously / without login yes you would need to set up the anonymous login.

azasypkin · April 20, 2021, 2:10pm

In addition to what Stephen has already suggested, we also documented embedding + authentication in Embed Kibana content in a web page | Kibana Guide [7.12] | Elastic.

As explained there, you have three options:

Either configure Kibana to be a part of the Single Sign-On setup you have at your main/host website
Or configure anonymous access
Or let users use Login Selector/Form

When you embed Kibana with configured anonymous access you can make it so that users won't see Login Selector if you don't need it.

alfredo.deluca · April 20, 2021, 3:38pm

thanks @azasypkin.
That's what I d like to do. Embed the anonymous user in the iframe code so any one with the link can see the dashboard even without going through the login selector.
But in order to do so I need to follow this page

then
add in the kibana.yml
the following

xpack.security.authc.providers:
  anonymous.anonymous1:
    order: 0
    credentials: "elasticsearch_anonymous_user"

is that right?
cheers

azasypkin · April 21, 2021, 10:12am

alfredo.deluca:

then
add in the kibana.yml
the following
xpack.security.authc.providers:
  anonymous.anonymous1:
    order: 0
    credentials: "elasticsearch_anonymous_user"
is that right?
cheers

Yeah, but any reason you don't want to use username/password based credentials? "elasticsearch_anonymous_user" credentials also requires you to enable anonymous access in Elasticsearch, not sure if you really want that.

alfredo.deluca · April 21, 2021, 11:58am

That's what I am looking for.
I need multiple people internally in our company to look at dashboards through an internal sharepoint page without login/account?
So in that case do I need to modify the elastic and kibana yml file?

We have elastic cloud 7.12 and I think Stephen Brown said we can't change the setting in the elastic part of it? is that correct?

azasypkin · April 21, 2021, 12:34pm

In short, the steps explained by Stephen in Anonymous Kibana Users - #9 by stephenb is what you need to cover this use case. Only changes in Kibana configuration are needed, no need to modify Elasticsearch config. Don't be be confused by the Login Selector part, if you use iframe code for the dashboard to embed into your Sharepoint page as explained here, your users won't see login selector, iframe will load required dashboards directly.

I'd encourage you to go through all the links we've shared in this thread to get a better understanding of how anonymous access is configured exactly. You seem to be confused by the fact that there are two distinct features Elasticsearch anonymous access and Kibana anonymous access. You may want to use Elasticsearch anonymous access if, for example, you want to query Elasticsearch directly (without Kibana) without providing any sort of credentials. It's enabled by default in Cloud (you cannot change that), but it's required that you create an anonymous role to make it work first. If I understand your use case correctly you don't need this at all, so I won't go into details here.

As explained in the links above, Kibana anonymous access can leverage Elasticsearch anonymous access internally (credentials - "elasticsearch_anonymous_user" ), but it's not required. The easiest way is to just a create a user that will be used as anonymous service account and use username/password credentials as Stephen has already suggested.

Irrespective to the type of credentials you use, when you embed Kibana dashboards or visualizations with toggled Public URL switch, Login Selector won't be shown to your users as this switch tells Kibana to use anonymous access if it's enabled.

Let me know if there is anything that's still unclear, happy to clarify.

Best,
Oleg

alfredo.deluca · April 22, 2021, 12:19pm

thanks Oleg. I was able to implement the anonymous user on Kibana. However if at one end I can public the url without login, now I have the anonymous selector on the kibana page which I don't want cause if someone clicks on it it will go on the dashboard/space everybody can access the same page/kibana space.
This is unless I can use multiple anonymous users!

Do you think it would be possible?

Cheers