Is it possible?

Elastic Stack Kibana
1

We have PoC installation with ES/Kibana/SG to simulate multitenant environment with data and dashboard separation. We've own solution (let's call it CVS) for chart presentation created by our own, but with additional functionalities we cannot abandon.
I wonder if following solution is possible:

  1. user logs to CVS
  2. in CVS is widget which has to provide Kibana content - CVS knows who's logged id
  3. CVS prepared JWT token for logged user and via widget logs into Kibana - as I understand I've to install and activare X-Pack for JWT authentication
  4. now the most important: CVS creates via API following DLS/FLS filter for this user:
{
  "bool": {
    "must": {
      "terms": {
        "domain_name": [
          "domain1.com",
          "domain2.com"
        ]
      }
    }
  }
}

we want to restric data access only to proper for logged user
5. logged user cannot change this DLS/FLS filter
6. after logout/session timeout DLS/FLS filter is forgotten.

Another point which I'm not sure: if described solution is possible is it possible to log in several users with different DLS/FLS filters?

The main idea is to:

  1. not use SearchGuard
  2. make user management in ES/Kibana as easy as possible
  3. to have in Kibana only 3 account: kind of admin, kind of advanced user (analyst), kind of ordinary user
2

Hi LesioS, I'm not entirely sure I followed what you're trying to do, but there are a few ways to integrate with Kibana.

One is to write a custom Kibana application. To do this, you'll need to write your own plugin. It's unfortunately not a super well documented or well supported feature, but you can do it! I think the best place to start is to see how Kibana's internal applications are written. Here's one:

Alternatively, you can write a standalone application that itself calls Elasticsearch or Kibana's APIs directly. This is probably as involved-- if not more involved-- than writing your own plugin. If you write a Kibana plugin / app, Kibana will ensure your app knows what user is logged in.

3

I assume you've got this bit covered :slight_smile:

This is probably possible, but it's a vague requirement, and the options all have tradeoffs, so I can't be sure whether any of them would suit your needs.

Kibana isn't really designed to be embedded in another app, but you can pull dashboards in with an iframe. That would be my starting point.

Right now, that's not going to be easy. X-Pack doesn't do JWT right now, and even if you build it as a custom realm, you need to convince Kibana to accept it and pass it through to Elasticsearch.

The simplest path for my thinking would be:

  1. you create a custom ES security realm that handles your security tokens/trusts CVS. See this blog
  2. You may need to those tokens using HTTP basic authentication, even if the "password" is actually a token, or a base64-signature or something. Kibana doesn't really care, it just passes it to Elasticsearch, but you need to convince Kibana that the request has credentials.
  3. The tricky part is getting the credentials to Kibana - especially if you're embedding via an iframe. The only solution I can think of it to use javascript to POST them to the Kibana login handler. But one of the Kibana engineers might have ideas for other options.

The other option that's possible is to put a proxy in front of Kibana that creates the basic auth token for you. Depending on the technology stack you're working with, you might be able to make something work there.
Here's a blog post on using a proxy to automatically login to Kibana although that example uses a static password, and you would want to pass your CVS security token.

This is easy enough. There's two options that could work.

  1. Use a templated role query. If you have a custom realm, you just need to populate the user's metadata with the domains they're supposed to have access to, and then use that in the DLS template.
  2. In the blog post I linked to above, it uses a custom role provider to dynamically create a role for each user based on data that was provided in the security token. You could do something similar.

As long as you don't give them manage_security access, they cannot edit their roles.

What specifically are you looking for here?
Elasticsearch keeps caches for user's roles, etc but they will get evicted as required.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.