Different Kibana Environnement Views : Prohibit and allow Visualization according User authentication with reverse proxy ( Nginx )


Hi all,

I am a Elasticsearch beginner user :slight_smile:
I use logstash to parse, and i send all data in my ElasticSearch database.
Then I use Kibana to exploit them. So it's OK.

My question is :
How with reverse proxy ( Nginx :slight_smile: ), i can control the Kibana environnement view according with the authentification Users ( Admin,Client,...).
For exemple, I want to :
-Prohibit for user to use Settings,Visualize tab and allow Dashboard tab

  • Have with a Client A, a visualisation of his Information's Dashboard A thanks to Fields'Filtering

Thanks in advance

(Tim Sullivan) #2

I doubt it is possible to do what you are trying, because Kibana is a single web app and the different screens (Dashboard, Settings, Visualize, etc) are client-side routes of the web app. In other words, the link to Dashboard is qualified with a # in the URL, and a proxy is not going to see that a user is looking at different screens, because clicking between pages just changes the state of the application in the browser.

If you want to set up a portal where certain users can view only a dashboard, you might just try saving a dashboard in Kibana, use the "embed" HTML source to create a new page you could give to your Dashboard users. See https://www.elastic.co/guide/en/kibana/current/dashboard.html#sharing-dashboards

Note that you'd still need to trust your Dashboard users because they could find the src in the iframe of the embedded Dashboard and find their way to the full Kibana. But even if you did find a way to set restrict certain users to just have Dashboard access, you'd still need to trust that they won't do anything destructive, such as delete a Dashboard.


Ok thanks


Hi tsullivan,

I have one question. So i take the the "embed" HTML for my Dashboard1 and I put this in my Apache Webserver, so It's ok for the vizualisation.

But, when you look the code source for the html page, we can show all information ==>

So how I can hide this? ??

I think that i must edit a form with a POST method and fill-in fields to have redirection to my request with a hidden information.
What do you think ?? :slight_smile:

(Matt Bargar) #5

You probably won't be able to get a 100% secure solution without using Shield. The embedded view is nice because it limits the users context, but it's really just security by obscurity.


Ok thanks Bargs :wink:

(system) #7