Auto-authenticate Kibana 5.3 dashboard embedded in iframe

Hi @PrabakarKaruppasamy,

this is a commonly asked question, that has been discussed before in this forum. Please see these threads, among others:

Hi @weltenwort

Thanks for your response.
My requirement is need to do in programmatic way.

  1. Can I pass username and password as part of the embedded URL.
  2. Is there a way to make the ajax request to Kibana server and get the response and access the Iframe without showing the login screen of Kibana.

Making a preparatory ajax request to /api/security/v1/login to set the cookie as suggested in Authenticating to iframe-embedded Kibana dashboard might work. If the cookie is set correctly, the login screen should not be shown.

@weltenwort ... Thanks a lot... It is helpful too much

@weltenwort can we set up cross orgin header in Kibana?

My kibana server is runing in another IP. My nginx server in another domain. Can't able to login due to cross orgin issue.

You should be able to configure the CORS settings via the server.cors setting in kibana.yml, which will be forwarded to hapijs. For the valid values of that setting, please see the CORS-related settings in the hapi route options documentation. It would roughly look like this, but please check the linked documentation for specifics that might apply to your deployment environment:

server.cors:
  origin: ['YOUR', 'ORIGINS', 'HERE']
  credentials: true

I have configured like below..

server.cors:
origin: ['*']
credentials: true

But I can't able to start the kibana getting error like Kibana cros expection boolean parameter.

My apologies, I just noticed that according to the source it is supposed to be server.cors: true when not in development mode.

Is there any other way work around??

Is it possible to set this flag in kibana.yml, for an instance running on elastic cloud?

The kibana.yml settings on Elastic Cloud are not editable by the user yet. This is being worked on though. In the meantime you could ask Cloud support to change settings for you.

1 Like

@weltenwort

Hi It is not working in Prod environment. Is there any other way or other work around.

Could you elaborate what "it" and "not working" means exactly in your case, please?

Sorry for late reply. I have configured in Kibana yml file like this server.cors: true but it is not reflected. It is running in AWS cloud.

With the server.cors: true setting, I am able to get the following CORS headers in the response:

$ http OPTIONS http://localhost:5601/login kbn-version:5.4.0 Origin:http://some-nginx-domain.com Access-Control-Request-Method:get
HTTP/1.1 200 OK
Connection: keep-alive
Date: Mon, 19 Jun 2017 08:12:25 GMT
access-control-allow-headers: Accept,Authorization,Content-Type,If-None-Match
access-control-allow-methods: get
access-control-allow-origin: http://some-nginx-domain.com
access-control-expose-headers: WWW-Authenticate,Server-Authorization
access-control-max-age: 86400
cache-control: no-cache
content-length: 0
kbn-name: kibana
kbn-version: 5.4.0
kbn-xpack-sig: dd98667ca0fad49b443090b0770f1b9f
vary: accept-encoding

Can you compare that to the response you are getting from your Kibana server?

Sure. Thanks for the great information. Let me check

Hi

With server.cors: true am facing config error. Error Message - (FATAL { ValidationError: child "server" fails because [child "cors" fails because ["cors" must be an object]]). Kibana doesn't start. It is failed at the starting the kibana service

According to the source it expects a boolean in production mode and an object in development mode.

@weltenwort
Here Source we can able to see the dev mode is false but 'server.cors: true' configuration not working.

Sorry, @PrabakarKaruppasamy, but I can not reproduce the problem. I performed the following steps:

  • download and unpack the Kibana 5.3.3 archive

  • set server.cors: true in config/kibana.yml

  • start Kibana using bin/kibana

  • send the following request to http://localhost:5601:

      OPTIONS / HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      Access-Control-Request-Method: GET
      Connection: keep-alive
      Content-Length: 0
      Host: localhost:5601
      Origin: http://example.com
      User-Agent: HTTPie/0.9.8
    

I get the response

HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 04 Jul 2017 09:24:24 GMT
access-control-allow-headers: Accept,Authorization,Content-Type,If-None-Match
access-control-allow-methods: GET
access-control-allow-origin: http://example.com
access-control-expose-headers: WWW-Authenticate,Server-Authorization
access-control-max-age: 86400
cache-control: no-cache
content-length: 0
kbn-name: kibana
kbn-version: 5.3.3
vary: accept-encoding

which looks like a response with CORS enabled. Maybe you could elaborate in which way your setup deviates from these steps?