Auto-authenticating to iframe-embedded Kibana dashboard

jordansparked · April 1, 2016, 7:05pm

I have a Shield-protected Kibana 4.5 dashboard that I'm embedding via iframe. Is there any way to programmatically provide the user/password so that the user automatically auths and the dashboard is displayed?

I've attempted the following with no luck:
<iframe src="https://username:password@myKibanaHost....>
<iframe src="https://myKibanaHost?embed=true&username=myuser&password=mypass>

I know this isn't best idea to embed credentials in the iframe, but this is an internal system and we don't want users to have to authenticate twice (once to our site, once to Kibana).

Or is there another way?

joyometer · April 6, 2016, 4:32pm

+1 Love to know the answer. Double auth very much limits our use-case for Kibana. Or is there some other way like using OAuth / SAML?

Joe_Fleming · April 6, 2016, 6:27pm

If you are using Shield 2.3, and you have the front-end plugin installed in Kibana, then yes, this is possible. It doesn't work as you've put in your example.

Instead, pass a valid Basic Authorization header with the request will cause Shield will validate the session, creating and using an authorization cookie in the background.

Note that prior to 2.3, I don't believe this was possible at all.

tsullivan · September 14, 2016, 8:15pm

You can pass the Authorization header as Joe suggests using an nginx proxy.

Here is the relevant section of my nginx.conf:

 server {
     listen       4443 ssl; # the default was port 443
     server_name  tim-virtual-machine.local;

     ssl_certificate      /home/tim/domain.crt;
     ssl_certificate_key  /home/tim/domain.key;

     ssl_session_cache    shared:SSL:1m;
     ssl_session_timeout  5m;

     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

     location / {
         proxy_set_header  Host $host;
         proxy_set_header  X-Real-IP $remote_addr;
         proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header  Authorization "Basic cGFudHM6b25maXJl"; # base64-encoded username:password to pass in header
         proxy_pass  https://tim-virtual-machine.local:5601; # actual kibana URL
     }
 }

I got this mostly from following this tutorial: http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html

I generated the Base64 string out of the username:password combination with this unix one-liner:

echo -n username:password | base64

Gabriele · January 12, 2017, 12:17pm

@tsullivan Can it also be done on the Elastic.co cloud?

tsullivan · January 12, 2017, 9:44pm

@tsullivan Can it also be done on the Elastic.co cloud?

I really don't know. You and a colleague have been posting in another thread about trying to do this, and according to messages there, you are getting this error:

{"ok":false,"message":"Unknown cluster."}

When you use Kibana hosted in Cloud normally, you are talking to a proxy, and that proxy has headers that it sets, including one for the cluster_id. I don't know enough about this to know if your proxy might be preventing the Cloud proxy's header from persisting.

Alex_Piggott · January 12, 2017, 9:49pm

@Gabriele

It should be possible to route to the Elastic Cloud using nginx, there's just an extra header you need to supply, eg:

         proxy_set_header  X-Found-Cluster <cluster-id>;

(note that's the full cluster ID, not just the first 6 digits)

There may be other issues, it's not something I've tried; but based on the error you're currently getting, this extra header should at least get you one step closer!

Alex

Gabriele · January 13, 2017, 10:20am

#Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
# to Kibana. This setting cannot end in a slash.
server.basePath: "/kibana"

Ok, but how do I set up server.basePath in the Kibana Cloud? I can't access the kibana .yml file

Alex_Piggott · January 13, 2017, 5:15pm

Ah sorry - you cannot currently set server.basePath in the Elastic Cloud Kibana; so you'd need to configure the proxy to translate the Kibana URLs in the replies (I don't know if that's possible, I have done it for Splunk in the past though using apache)

The alternative that we see people do a fair bit in these sorts of scenarios is to run their Kibana outside of Elastic Cloud pointing at an Elasticsearch instance in the cloud Obviously that's a bit of a pain, but Kibana is generally easier to run and maintain than Elasticsearch anyway.

Alex

PrabakarKaruppasamy · June 13, 2017, 12:42pm

Can u please explain me what we need to give $proxy_add_x_forwarded_for (local machine IP address or remote machine address)

tsullivan · June 16, 2017, 6:07am

Hi PrabakarKaruppasamy,

The place to go to understand how nginx configurations work, is the nginx documentation or forums. I found this page which might help: https://www.nginx.com/resources/wiki/start/topics/examples/likeapache/

georgezoto · May 4, 2018, 8:40pm

Thank you @tsullivan for your recommendations and sample nginx configuration.I know it is a work around and it will not solve all issues. @thomasneirynck shared a ticket asking for a enhancement to basically provide public facing visualizations and dashboard like many other modern platforms offer. Please upvote or comment if you find it helpful: https://github.com/elastic/kibana/issues/18331

Thank you again,
George

f26227279 · June 7, 2018, 2:17am

Hi, @tsullivan my ELK is version 6.2.2.
I want to let users can auto authenticate to x-pack security.
Do I need to install shield into Kibana?
How can I connect nginx with x-pack?

thank you in advance

tsullivan · June 21, 2018, 6:38pm

Hi,
If you install X-Pack in Elasticsearch, you should also install it into Kibana. X-Pack is the commercial suite of products that includes Security (formerly called Shield).

To auto authenticate, set up a reverse proxy that passes through to the Kibana server. The proxy can add an authentication header to make all the requests authenticated as whatever user you want them to be.

Francisca_Lima · February 7, 2019, 9:32am

Hello,
So I can use nginx to access Kibana dashboards with different users? I tried to use a variable for the user in the nginx, but my problem is when I do the GET request of Kibana Dashboard.
My nginx is like this:

location / {
  proxy_pass http://127.0.0.1:5601;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection 'upgrade';
  proxy_set_header Host $host;
  proxy_cache_bypass $http_upgrade;
  rewrite ^/kibana(.*)$ /$1 break;
  proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
  proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
  proxy_set_header  X-Forwarded-Proto $scheme;
  auth_basic "Basic Auth";
  auth_basic_user_file /etc/nginx/.htpasswd;
  proxy_set_header x-forwarded-user $remote_user;
  proxy_set_header Authorization "";
  access_log /var/log/nginx/kibana.access.log;
}

How can I access my kibana dashboards? Through a POST login request?

Thanks.

flexoid · March 14, 2019, 12:36pm

@tsullivan @Alex_Piggott @Francisca_Lima and others interested.

Looks like you should use

proxy_set_header Host $proxy_host;

instead of

proxy_set_header Host $host;

$proxy_host takes host value from proxy_pass directive, while $host will contain your server_name. And apparently, Kibana from Elastic Cloud requires an original host to determine target cluster ID.

Works for me without proxifying any additional X-Found-Cluster headers.