How to setup account-based Kibana dashboards and indices as part of a larger dashboard?


#1

In planning out a new platform with a dashboard interface, users will need to register for accounts, then login to the dashboard to administer their accounts and other platform activities.

I would like to offer the Kibana interface as one of those options.

I come from a RDMS background so was initially thinking to do user maintenance in SQL Server, however if I want user-based access to Kibana (where users have their own indices, no access across users' indices), I'm guessing this is not an option, correct?

Even if the dashboard is written in .Net, I can setup Kibana with SSO, correct? The user would sign into the dashboard, and when they select the Kibana interface, their credentials would be used and limit them to their own index for data analysis.

Does this sound correct? (specifically about where to do the user management - in an ES index, not externally)


(Matt Bargar) #2

Kibana X-Pack security doesn't currently support SSO, but Elasticsearch does. You could potentially disable the security plugin in Kibana and use a proxy to accomplish whatever login redirects or custom header magic that needs to be done to authenticate the user with Elasticsearch. The stack would still be secure, all of the actual authentication/authorization happens in Elasticsearch, the Kibana security plugin just provides a nice login screen and some user/role management pages.

However, before doing all that, you'll need to think through whether this will provide the user experience you desire. Kibana doesn't have much support for multi-tenancy yet. All of the metadata for Kibana Dashboards, Saved Searches, and Visualizations is stored in a single .kibana index which all users have access to. So while you can certainly lock down each user's data indices, all users will be able to see and modify (if you give them write access for creating dashboards and such) what's in .kibana. The only way to truly isolate users right now is to stand up a Kibana instance for each user which of course is impractical if you have many users.


#3

In a related question, the following was suggested:

A simple way to do this would be to start multiple containers using the official Docker image1 and to set different KIBANA_INDEX and SERVER_NAME environment variables for each.

I would need to have a separate .kibana file for each user in this case, correct?

I didn't know much about Docker until today, but it seems like spinning up a new docker image for each user is also not a very good option, correct?

Is it possible to target/expose certain Kibana visualizations - call them up through some API requests?

As I wanted to include Kibana as part of a larger over-all dashboard/platform (most-likely written in .Net), the application abstraction layer can add user ID's to every request before it's received by ElasticSearch or Kibana.

Does this sound anything close to the beginning of a solution, and if so how?


(Matt Bargar) #4

If you have more than a handful of users, creating a separate container for each wouldn't be scalable IMO.

If you simply want to embed individual Kibana visualizations or dashboards inside a larger dashboard, you could achieve this with the embedded share functionality.

However Kibana doesn't currently have a concept of user owned visualizations or dashboards. So you'd need to enforce some sort of naming convention if you want to automatically show users their associated visualizations. Users would still technically have access to .kibana but they wouldn't see the rest of the UI in these embedded visualizations.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.