Hi,
I'm trying to use ECK so that
- Elasticsearch is protected by a password
- Kibana allows un-authenticated traffic
We run a custom oauth proxy in front of kibana to perform authentication - this way we can allow users to use their regular g-suite credentials to access kibana.
In the past (prior to starting to use ECK), this was achieved by using the special format for the elasticsearch url setting in the kibana config file:
https://user:password@elasticsearch.url:443
. (at the top of my head I can't remember if we had to base64-encode the username/password part of the url, that may be).
In any case, this worked well enough altho a bit hacky - as far as I know it's the only way of making Kibana talk to an auth-enabled Elasticsearch cluster without auth-enabling Kibana.
However, after switching to ECK the constructs are higher level, and kibana simply references an ECK Elasticsearch cluster by name, not url.
So, before I give up and look for some other solution I guess I'm asking:
-
it seems strange to me that Kibana "officially" seems to require "passing thru" credentials, making it difficult to turn kibana security off while leaving Elasticsearch security on. Is it really supposed to be near-impossible to achieve this?
-
Is there any way using ECK that I can maniupulate kibana's setting for the Elasticsearch url so we can implement the "auth bypass hack" while while still using ECK?