How kibana will connect to elasticsearch without built-in user and password

Hi team,

I have few queries for my elasticsearch cluster. It is TLS enabled and running on platinum license. I don't want to use any static username and password for built-in users, so I have setup LDAP realm and I'm able to access elasticsearch api with LDAP login.

  1. Now I want to know how kibana will connect to elasticsearch ? I don't want to store any username password in kibana.yml. (I don't want to store password in keystore manually)

  2. Is there a way by which kibana can connect to elasticsearch using any LDAP credentials ?

  3. if I run setup-passwords auto will I still need to provide elasticsearch.username and password in kibana.yml or it takes automatically from .security index ?

Basically without putting any password references in kibana.yml, how kibana will access elasticsearch ?

Hey @Ronnie16, if you don't want to store a hard-coded username/password in the kibana.yml, you could potentially use the PKI realm in Elasticsearch so that Kibana can authenticate using a certificate/key.

We're working on adding Kerberos support to Kibana, but the first phase is using Kerberos to authenticate the logged in end-user, not to authenticate the internal Kibana server user. We'd like to add Kerberos authentication for the server identity, but there are some additional technical hurdles we'll have to overcome before we get to that point.

How are you currently authenticating other systems which communicate with Elasticsearch?

I'm trying to found a way to authenticate kibana and logstash system without hard-coded passwords. For end users I'm setting up ldap realm for elasticsearch and saml for kibana.

I tried with pki but this step doesn't work without giving kibana username and password.

_xpack/security/_authenticate?pretty

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "missing authentication token for REST request [/_xpack/security/_authenticate?pretty]",
        "header" : {
          "WWW-Authenticate" : [
            "Bearer realm=\"security\"",
            "ApiKey",
            "Basic realm=\"security\" charset=\"UTF-8\""
          ]
        }
      }
    ],
    "type" : "security_exception",
    "reason" : "missing authentication token for REST request [/_xpack/security/_authenticate?pretty]",
    "header" : {
      "WWW-Authenticate" : [
        "Bearer realm=\"security\"",
        "ApiKey",
        "Basic realm=\"security\" charset=\"UTF-8\""
      ]
    }
  },
  "status" : 401

I assume you have the PKI realm configured in Elasticsearch already? If so, you should be able to execute a curl similar to the following using the cert/keys specified in elasticsearch.ssl.certificate and elasticsearch.ssl.key and get a proper response:

curl --cert /path/to/elasticsearch.ssl.certificate --key /path/to/elasticsearch.ssl.key http://localhost:9200/_xpack/security/_authenticate

You can use the PKI Realm in addition to the ldap and saml realms which you currently have enabled, so you can use certificates to authenticate instead of usernames/passwords.

@Brandon_Kobel, this is what my issue is. I'm trying to authenticate it via certificates only but getting the mentioned error in previous reply. Can you check that ? also I have pasted my configuration . I'm configuring pki for kibana to authenticate to elasticsearch not for end users.
I already have saml and ldap for end user authentication for kibana and elasticsearch respectively

Do your elasticsearch logs show anything when you're trying to execute the aforementioned curl?

Also, it might be worth double-checking the following setting

    xpack.security.http.ssl.certificate_authorities: [ "/usr/share/elasticsearch/config/tls_server/crt.pem" ]

it's using the same path as xpack.security.http.ssl.certificate and xpack.security.http.ssl.certificate_authorities should be the CA's certificate which was used to create Elasticsearch's certificate and Kibana's certificate.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.