Customer-Specific Data Access in Elasticsearch for Integrated Kibana Dashboards

Hello Elastic Community,

Our data model in Elasticsearch contains orders data from various brands. Our goal is to seamlessly embed the Kibana dashboard into our web application while ensuring that users do not encounter the Kibana login screen and can only view data pertinent to their brand.

Your expertise and experiences are highly valued, and I appreciate any assistance you can provide in navigating this challenge.

Thank you for your support!

Hi @Usama_Tariq,

It is possible to embed Kibana dashboards into your web application using an iframe and public URLs from Kibana. This blog gives a good overview of the steps. It covers use of anonymous authentication to bypass the login screen, which is available as a free feature. Otherwise you can also make use of SSO if you have an Enterprise or above licence.

If you have any particular questions about the approach or your specific use case do let us know.

Hope that helps!

With anonymous access there can be only one user with specific roles. How it could help in managing data access for multiple users?
Could you please elaborate on SSO? I think to leverage that there would be a need to create separate role mappings?
Please correct me if I am wrong anywhere.

Thanks again for the help and quick response.

I don't think that's right that you can only specify one user for anonymous authentication. There is an example here with 2 SAML auth providers for example. I believe you can specify multiple anonymous providers and then use the auth_provider_hint to specify the providers. I don't know how many distinct user groups you need, and having more than a few or many that regularly change could make maintaining the provider config challenging, but it is possible.

For SSO there are details on setup here in the documentation.

Hope that helps!

Thank you for the explanation and reference links.
So, for anonymous access I would need to create multiple providers under xpack.security.authc.providers setting in kibana.yml with users having roles with respect to their data access and pass auth_provider_hint paramter in iframe code?
I'll look through the SSO documentation and revert back in case of any query.
Thanks again!

Yes that's right. If you have any issues let us know.

Could you please share a sample config for adding multiple anonymous users in yml? I have created users and roles already in Kibana. Need to apply config changes inside yml files on elastic cloud console.
Thankyou.

My understanding till now is that we can specify multiple anonymous users with roles (data access managed via index privileges or managed through query in role configuration) in elastic or kibana yml files. Then we can pass information as parameter for that anonymous user in the iframe code.
In my case I can have multiple iframes based on the number of users and brands etc.
Need some help here with configs or guide on how to achieve above
Thanks.

By config do you mean the kibana.yml config specifying the providers? So taking the above SAML example I mentioned previously as a baseline, I would expect it to look something like this:

xpack.security.loginHelp: "**Help** info with a [link](...)"
xpack.security.authc.providers:
  basic.basic1:
    order: 0
    icon: "logoElasticsearch"
    hint: "Typically for administrators"
  anonymous.anonymous1:
    order: 0
    credentials:
      username: "anonymous_service_account"
      password: "anonymous_service_account_password"
  anonymous.anonymous2:
    order: 1
    credentials:
      username: "another_anonymous_service_account"
      password: "another_anonymous_service_account_password"
  kerberos.kerberos1:
    order: 3
    enabled: false

I have used the following config in kibana.yml on cloud console, but changes have failed, causing Kibana to be in unhealthy state.

xpack.security.authc.providers:
  basic.basic1:
    order: 0
  anonymous.anonymous1:
    order: 0
    credentials:
      username: "anonymous_user_1_username"
      password: "anonymous_user_1_password"
  anonymous.anonymous2:
    order: 1
    credentials:
      username: "anonymous_user_2_username"
      password: "anonymous_user_2_password"

----- Expect to add config for more anonymous users as above, and to be passed in iframe code -----

Can you please help here? Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.