I have few queries for my elasticsearch cluster. It is TLS enabled and running on platinum license. I don't want to use any static username and password for built-in users, so I have setup LDAP realm and I'm able to access elasticsearch api with LDAP login.
Now I want to know how kibana will connect to elasticsearch ? I don't want to store any username password in kibana.yml. (I don't want to store password in keystore manually)
Is there a way by which kibana can connect to elasticsearch using any LDAP credentials ?
if I run setup-passwords auto will I still need to provide elasticsearch.username and password in kibana.yml or it takes automatically from .security index ?
Basically without putting any password references in kibana.yml, how kibana will access elasticsearch ?
Hey @Ronnie16, if you don't want to store a hard-coded username/password in the kibana.yml, you could potentially use the PKI realm in Elasticsearch so that Kibana can authenticate using a certificate/key.
We're working on adding Kerberos support to Kibana, but the first phase is using Kerberos to authenticate the logged in end-user, not to authenticate the internal Kibana server user. We'd like to add Kerberos authentication for the server identity, but there are some additional technical hurdles we'll have to overcome before we get to that point.
How are you currently authenticating other systems which communicate with Elasticsearch?
I'm trying to found a way to authenticate kibana and logstash system without hard-coded passwords. For end users I'm setting up ldap realm for elasticsearch and saml for kibana.
I tried with pki but this step doesn't work without giving kibana username and password.
I assume you have the PKI realm configured in Elasticsearch already? If so, you should be able to execute a curl similar to the following using the cert/keys specified in elasticsearch.ssl.certificate and elasticsearch.ssl.key and get a proper response:
You can use the PKI Realm in addition to the ldap and saml realms which you currently have enabled, so you can use certificates to authenticate instead of usernames/passwords.
@Brandon_Kobel, this is what my issue is. I'm trying to authenticate it via certificates only but getting the mentioned error in previous reply. Can you check that ? also I have pasted my configuration . I'm configuring pki for kibana to authenticate to elasticsearch not for end users.
I already have saml and ldap for end user authentication for kibana and elasticsearch respectively
it's using the same path as xpack.security.http.ssl.certificate and xpack.security.http.ssl.certificate_authorities should be the CA's certificate which was used to create Elasticsearch's certificate and Kibana's certificate.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.