Enabling Kibana UI auth without changing logging clients

Hi there,

I have a requirement to secure the frontend of Kibana, however when I set xpack.security.enabled in elasticsearch.yml I am enabling security across the board including on index writes, which means that I have to authenticate my logging clients (whether those clients be beats or in code).

I understand that Kibana simply proxies the call down to Elasticsearch to authenticate users, but is there a way to be more granular with what I secure and remove the requirement for logging clients to authenticate while still mandating it for Kibana UI access? I can't find anything in the docs, and I understand that what I am trying to do is not wonderful anyway but I have been asked to at least explore the option...

Enabling Elastic Stack's Security feature is all-or-nothing.

If you'd like to only limit access to Kibana, you could use a reverse proxy (such as Nginx) in front of Kibana that enforces authentication, either through Basic Authentication, or something more sophisticated like Oauth. Note that this approach will not be able to limit access to specific things within Kibana. If the user has access, they'll be able to access everything.

Alternatively, you could enable Security for the Elastic Stack and use a reverse proxy to append Authentication headers for ingesting data. In this setup, all your beats and logging clients could forward their requests to this proxy without auth headers and the proxy would add these auth headers. Just note that this would enable anyone with access to the proxy to be able to ingest data (or other actions if you don't lock down with paths are allowed).

Thanks Josh, I appreciate the response. Ultimately we want native Elastic security but as I said I have been asked to look in to a really quick UI lockdown, so thank you for confirming what I suspected. I am not keen to put an authenticating proxy in front of Kibana as a short term fix, I'd rather put the time into securing clients and delivering the "right" solution (for us anyway). I hadn't thought of injecting headers with a reverse proxy though - even though I won't use that I reckon it will end up being something I use in future so thanks!

Sounds good, and I agree that securing the Stack 100% is the best option. Have a good one!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.