Can some explain what the comment means for the elastsearch.username and password variables in the config

Hi:
in the kibana.yml config file the following comment appears for the two settings
elastisearch.username
elasticsearch.password

This parameter specifies the username for Elasticsearch instances that use HTTP basic authentication. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.

What does the 2nd statement in the comment mean ?
Q1 : does it mean that if some form of security is enabled on elasticsearch, the user accessing kibana will need to be authorized ?
Q2: Is the purpose of the username and password only for the initial communication between kibana and elasticsearch (i.e. to create the kibana index if it doe snot exist and to retrieve the data for the kibana artifacts ?)
Q3 : Would these credentials not be used for data retrieval ? If I have a basic auth. user created to access the data in elasticsearch.
Q4 : How would kibana pass the Kibana user's username and password ? are there specific settings to set these ?

if there is documentation regarding this a link to it would be helpful else any assistance in getting these questions answered would work as well.

Thanks for the help

ramdev

I would like to amend my question like so :

Is it possible to pass in user name and password for a basic auth. user via all of the http requests sent from Kibana to elasticsearch.

(this is post initialization of kibana wherein the config values of username and password are used)

Thanks

Ramdev

Q1 : does it mean that if some form of security is enabled on elasticsearch, the user accessing kibana will need to be authorized ?

Yes, the users will still need to provide credentials which will be proxied to Elasticsearch.

Q2: Is the purpose of the username and password only for the initial communication between kibana and elasticsearch (i.e. to create the kibana index if it doe snot exist and to retrieve the data for the kibana artifacts ?)

Exactly

Q3 : Would these credentials not be used for data retrieval ? If I have a basic auth. user created to access the data in elasticsearch.

They will not be used for data retrieval. The credentials the users supplies will be passed through to Elasticsearch.

Q4 : How would kibana pass the Kibana user's username and password ? are there specific settings to set these ?

These are part of the request headers which are presented to Kibana. If you're interested, here is the actual method which is being used - callWithRequest.

Is it possible to pass in user name and password for a basic auth. user via all of the http requests sent from Kibana to elasticsearch.

If I understand the question correctly, your wanting to eliminate the user needing to provide credentials when accessing Kibana. There is not currently support for this. Doing this essentially circumvents the access controls, which could be accomplished by simply removing them.

1 Like

Thanks Tyler for each of the answers. I figured as much after reading all of the various tickets that addressed this issue. The reason for my final question was because, I have a read only access user that will be used to retrieve the data from ES. However, since there is no way for me to provide this users credentials, (via kibana.yml) , I asked the question.

So my kibana instance will be configured with said read-only user so that the user is able to view the dashboards and accompanying visualizations. My use case is such that I cannot have every user that accesses these dashboards in a whitelist of authorized users as I do not know who these users are going to be.

So if I can set the requestheaders with the credentials, via config, that would be best.
however if that is something that is not doable. well I guess I will keep digging

Thanks

Ramdev