Embedded Kibana auto login

nickgregz · October 15, 2019, 1:26pm

There have been multiple threads on this topic but most of them seem to circle around the same answers with contradicting official statements.
I want to auto-login users to a Kibana dashboard from a web app. I have enabled x-pack security and tried to get the auth cookie with an ajax request before showing the dashboard but unfortunately, I get the preflight CORS error:

OPTIONS with code 404.

There is an official response in this thread saying that this is not supported, and an unofficial thread here suggesting the same.

Despite this, there are official responses like in this thread here suggesting that it can be done setting the kibana.yml values:

server.cors: true
server.cors.origin: "*"

Adding this removed the 404 problem but the CORS couldn't recognize the headers ('kbn-xsrf') so I used a solution from here and modified http_tools.js with:

cors: { additionalHeaders: ['kbn-xsrf','cookie'], origin: ['*'], credentials: true }

which ended up returning 200 OK for OPTIONS and 204 No Content for POST but did not set the cookie in the browser.
Another thread with an official answer seems to suggest that it can't be done even if you manage to attach the cookie to the browser.

Is such an approach even possible taking into account contradicting answers across the board?

Another suggested approach is to use an NGINX reverse proxy to add authentication, but wouldn't that mean that every request to Kibana would be authorized and unprotected?

azasypkin · October 15, 2019, 1:56pm

Hi @nickgregz,

I can confirm that there are only two ways that we recommend for such use case currently:

Use SSO (SAML, OIDC, Kerberos) or PKI
Use reverse proxy in front of Kibana that will be adding Authorization header

Yes, all requests will be made on behalf of a dedicated user. You can of course create a dedicated read-only user with specific set of permissions, privileges etc, but it may not work for your use case.

You can also try to integrate Third Party Auth.

Let me know if you still have questions,
Oleg

nickgregz · October 15, 2019, 2:36pm

Thank you very much for your answer! I have a couple more questions.
The first solution(s) is part of the paid license (Gold and Premium)?
So the NGINX solution is just a bypass of security for anyone trying to access Kibana through a URL. There is no way to set up the reverse proxy so it can only let certain requests to Kibana and add the auth header based on received credentials from the client?

azasypkin · October 15, 2019, 3:08pm

Yes, that's correct.

Proxies are pretty flexible these days and can attach authz header to a particular set of URLs I believe. But how do you envision passing credentials from the client when Kibana is embedded?

nickgregz · October 15, 2019, 4:43pm

Thank you, you are right, there is no way of passing credentials or any data if it's embedded.

system · November 12, 2019, 4:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.