Auto-authenticating to iframe-embedded Kibana dashboard


(Jordan Snodgrass) #1

I have a Shield-protected Kibana 4.5 dashboard that I'm embedding via iframe. Is there any way to programmatically provide the user/password so that the user automatically auths and the dashboard is displayed?

I've attempted the following with no luck:
<iframe src="https://username:password@myKibanaHost....>
<iframe src="https://myKibanaHost?embed=true&username=myuser&password=mypass>

I know this isn't best idea to embed credentials in the iframe, but this is an internal system and we don't want users to have to authenticate twice (once to our site, once to Kibana).

Or is there another way?


Authenticating to iframe-embedded Kibana dashboard
Embed Kibana (v5.2) Visualization in iFrame X-Frame-Options
Kibana public visualization
(Bigrig) #2

+1 Love to know the answer. Double auth very much limits our use-case for Kibana. Or is there some other way like using OAuth / SAML?


Custom realm and parsing request params
(Joe Fleming) #3

If you are using Shield 2.3, and you have the front-end plugin installed in Kibana, then yes, this is possible. It doesn't work as you've put in your example.

Instead, pass a valid Basic Authorization header with the request will cause Shield will validate the session, creating and using an authorization cookie in the background.

Note that prior to 2.3, I don't believe this was possible at all.


Pass auth ldap authentication to Kibana for iframe
(Tim Sullivan) #4

You can pass the Authorization header as Joe suggests using an nginx proxy.

Here is the relevant section of my nginx.conf:

 server {
     listen       4443 ssl; # the default was port 443
     server_name  tim-virtual-machine.local;

     ssl_certificate      /home/tim/domain.crt;
     ssl_certificate_key  /home/tim/domain.key;

     ssl_session_cache    shared:SSL:1m;
     ssl_session_timeout  5m;

     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

     location / {
         proxy_set_header  Host $host;
         proxy_set_header  X-Real-IP $remote_addr;
         proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header  Authorization "Basic cGFudHM6b25maXJl"; # base64-encoded username:password to pass in header
         proxy_pass  https://tim-virtual-machine.local:5601; # actual kibana URL
     }
 }

I got this mostly from following this tutorial: http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html

I generated the Base64 string out of the username:password combination with this unix one-liner:

echo -n username:password | base64

Auto-authenticate Kibana 5.3 dashboard embedded in iframe
Kibana default basic auth
Auto authenticating to an embedded Kibana dashboard (on Elastic.co CLOUD)
Disable login in Kibana 5.3
Kibana Iframe avoid credentials
How to avoid the cros orgin issue in Kibana Dev mode?
How to protect dashboard url from eavesdroping?
KIbana : Bypass Autentication for ifames to share in dashboard
Embed Dashboards Kibana with Security
Using Basic Auth Reverse Proxy for iframe Kibana Dashboard
Nginx for Kibana Iframe
By passing the login page in the embedded Iframe
Kibana in Custom App
Steps for configuring SAML for kibana cloud
(Gabriele) #5

@tsullivan Can it also be done on the Elastic.co cloud?


(Tim Sullivan) #6

@tsullivan Can it also be done on the Elastic.co cloud?

I really don't know. You and a colleague have been posting in another thread about trying to do this, and according to messages there, you are getting this error:

{"ok":false,"message":"Unknown cluster."}

When you use Kibana hosted in Cloud normally, you are talking to a proxy, and that proxy has headers that it sets, including one for the cluster_id. I don't know enough about this to know if your proxy might be preventing the Cloud proxy's header from persisting.


(Alex Piggott) #7

@Gabriele

It should be possible to route to the Elastic Cloud using nginx, there's just an extra header you need to supply, eg:

         proxy_set_header  X-Found-Cluster <cluster-id>;

(note that's the full cluster ID, not just the first 6 digits)

There may be other issues, it's not something I've tried; but based on the error you're currently getting, this extra header should at least get you one step closer!

Alex


(Gabriele) #8
#Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
# to Kibana. This setting cannot end in a slash.
server.basePath: "/kibana"

Ok, but how do I set up server.basePath in the Kibana Cloud? I can't access the kibana .yml file :frowning:


(Alex Piggott) #9

Ah sorry - you cannot currently set server.basePath in the Elastic Cloud Kibana; so you'd need to configure the proxy to translate the Kibana URLs in the replies (I don't know if that's possible, I have done it for Splunk in the past though using apache)

The alternative that we see people do a fair bit in these sorts of scenarios is to run their Kibana outside of Elastic Cloud pointing at an Elasticsearch instance in the cloud Obviously that's a bit of a pain, but Kibana is generally easier to run and maintain than Elasticsearch anyway.

Alex


(Prabakar K) #10

Can u please explain me what we need to give $proxy_add_x_forwarded_for (local machine IP address or remote machine address)


(Tim Sullivan) #11

Hi PrabakarKaruppasamy,

The place to go to understand how nginx configurations work, is the nginx documentation or forums. I found this page which might help: https://www.nginx.com/resources/wiki/start/topics/examples/likeapache/


(George Zoto) #12

Thank you @tsullivan for your recommendations and sample nginx configuration.I know it is a work around and it will not solve all issues. @thomasneirynck shared a ticket asking for a enhancement to basically provide public facing visualizations and dashboard like many other modern platforms offer. Please upvote or comment if you find it helpful: https://github.com/elastic/kibana/issues/18331

Thank you again,
George


Login bypass in Kibana Cloud Embedded iFrame
(張皓翔) #13

Hi, @tsullivan my ELK is version 6.2.2.
I want to let users can auto authenticate to x-pack security.
Do I need to install shield into Kibana?
How can I connect nginx with x-pack?

thank you in advance :slightly_smiling_face:


(Tim Sullivan) #14

Hi,
If you install X-Pack in Elasticsearch, you should also install it into Kibana. X-Pack is the commercial suite of products that includes Security (formerly called Shield).

To auto authenticate, set up a reverse proxy that passes through to the Kibana server. The proxy can add an authentication header to make all the requests authenticated as whatever user you want them to be.