Kibana 7.17 dashboard URL in iframe sid cookie getting rejected by browser

Hi,
I am trying to embed kibana dashboard in to another URL.
My kibana URL is dashboard.example.com
My other URL is reports.example.com (SSL enabled)
My kibana is behind apache reverse proxy ( SSL is enabled only on proxy )
I am sending the authorization header to authenticate to kibana as I have enabled basic authentication.
I have set following in kibana.conf
server.publicBaseUrl: https://dashboard.example.com
xpack.security.secureCookies: true
xpack.security.sameSiteCookies: None
to support cross domain cookie
I see in the browser response from kibana is to set cookie SID as
set-cookie: sid=Fe26.2**e1ba7cb84736655fec7072b6c65bad1f0a3f9ec5927e5dfb473b11e742e27950apNm4sUug-u8UdFnBWN2PQdoyoGjU3ptQcaHbBuvovxQ9529BT_Jc6JMka292NyMchgSSs7IIYRlCj0wf5tHa; Secure; HttpOnly; SameSite=None; Path=/

Still browser mozilla rejects the cookie saying

  1. Cookie “sid” has been rejected for invalid domain.
  2. Cookie “sid” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read SameSite cookies - HTTP | MDN
    Kindly suggest how to troubleshoot this or any other working solution for this issue ?

Hi All,

Request you to please check my post and suggest a way forward.
Thanks in advance.

Hi, @homesh_joshi

It sounds like you possibly have a configuration issue with your reverse proxy and/or there's an issue with anonymous access.

If you send Authorization: xxx via the proxy you shouldn't receive a sid cookie at all - we don't create session for the HTTP authentication.

I am sending the authorization header to authenticate to kibana as I have enabled basic authentication

Can you clarify exactly what you mean by this? (maybe share a screenshot and/or HAR file).

Hi @wa7son ,

Thank you very much for the reply. Basic authentication is enabled at Kibana level. My report.example.com is a html page with ajax code which has iframe src https://dashboard.example.com and same ajax code sends authorization header to satisfy the basic authentication of kibana. ( My proxy is just to offer SSL ) this request (https://dashboard.example.com) hits apache reverse proxy which offers SSL and then reverse proxy the connection to kinaba server on http://10.10.10.1:5601/

####My Ajax code####

<!DOCTYPE html>
<html lang="en">
<head>
      <meta charset="UTF-8">
      <meta http-equiv="X-UA-Compatible" content="IE=edge">
      <meta name="viewport" content="width=device-width, initial-scale=1.0">
      <title>I Frame</title>
</head>
<body>
      <p>Test</p>
      <iframe id="myFrame" height="1000" width="800" ></iframe>
      <div id="myTest" ></div>

      <script src="https://unpkg.com/axios/dist/axios.min.js"></script>
      <script>

            let iframe = document.getElementById("myFrame");
            let loginURL = "https://dashboard.example.com/internal/security/login";
            let obj = {
                    providerType: "basic",
                    providerName: "basic",
                    currentURL: "https://dashboard.example.com/login?next=%2Fapp%2Fdashboards#/view/cf250a50-aa8b-11ec-93d5-b1e96804a3e4?embed=true&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-15m%2Cto%3Anow))",
                    params: {username: "dashboard", password: "SqpRxhdhdgdJ"}
            }
            axios.defaults.headers.common['Authorization'] = "Basic c3dkYXNoYm9hcmQ6U3FwUnhBhdgdfdf==";
            axios.defaults.headers.common['kbn-xsrf'] = "reporting";
            axios.defaults.headers.post['Content-Type'] = 'application/json,text/html';
            axios.post(loginURL,obj).then(response => {
                console.log(response);
                axios.get("https://dashboard.example.com"+response.data.location).then(resp => {
                    iframe.setAttribute("src","https://dashboard.example.com"+response.data.location);
                }).catch(error => {
                    console.log(error);
                });

            }).catch(err => {
                  console.log(err);
            })
      </script>
</body>
</html>

####My Ajax code####

Kindly suggest.
Thanks,
Homesh

Hi @homesh_joshi ,

Thanks for sharing the code, it helps to better understand what you're trying to accomplish. Let's try to go through this together.

The first problem I see is that you're trying to log in user to Kibana using both internal/security/login endpoint (the endpoint that Kibana's own login page uses) and via Authorization HTTP header. These won't work together and Authorization header will always win.

The problem is that when you authenticate user via Authorization HTTP header Kibana won't create any session for you, the sid cookie won't be used (and might be even cleared if both sid cookie and Authorization headers are presented). In the embedding/iframe scenario you might not need a session at all, but this header should be attached to every request and you cannot really do this without a proxy that would do that for you.

But what you're doing is actually can be better done with the built-in Anonymous access. This way you will configure credentials in the kibana.yml and won't need them right in the HTML (which is obviously not recommended). Would that work for you?

Best,
Oleg

Hi @azasypkin ,

Thanks a lot for the reply. You made the thing very clear. Now I have enabled the anonymous access and successfully able to embed the dashboard. However a smart user will copy the iframe source URL and then view the kibana dashboard page, to check other available dashboards. How I can restrict the user from listing all the available dashboards.

Thanks,
Homesh

You can just:

  1. move this "public" dashboard to a dedicated "Public" space
  2. Create a role that gives access to dashboards only in this "Public" space
  3. Assign this role to a user you use as anonymous service account.

This way anonymous users will only be allowed to access dashboards created in a "Public" space (even if the tech-savvy users will try to change URL it won't help). Check this out: Kibana security: Access management, spaces, and feature controls | Elastic Videos and Kibana role management | Kibana Guide [8.11] | Elastic

Hi @azasypkin ,

Thanks a lot for the valuable information and support. I have gone through the webinar. it was really helpful. However after doing the configuration as suggested I realized that users will be restricted to all the dashboards available with new public space. What I wish to is ideally to have separate space for each user and also want to embed the separate dashboard for each user. I do not want users to get access to each others dashboard. However I think I can manage with single Space with below plan.

  1. create new role "DashRole"
  2. create new space "dashboard"
  3. create anonymous user "anonymous1"
  4. create all the dashboards under Space "dashboard"
  5. Prevent user from listing all the available dashboards within Space "dashboard"
  6. if user sends request on exact dashboard ( i.e. user knows UUID of dashboard ) then only load the dashboard

Please suggest on point #5 & # 6.
for point #5 if I disable the feature "Dashboard" and "visualize library" from Space & at the same time allowing access in the Role, then in that case the Dashboard URL does not work. ( referring to Space-control-feature

Kindly suggest.

Thanks,
Homesh

Well, that sounds like you want a normal RBAC, not anonymous access. And the only way to make sure one user cannot really access content of another users is to force them to provide any sort of credentials (either username/password or integrate with SSO).

  1. Prevent user from listing all the available dashboards within Space "dashboard"
  2. if user sends request on exact dashboard ( i.e. user knows UUID of dashboard ) then only load the dashboard

Unfortunately, this is currently not possible in Kibana. You either give access to all dashboards in a particular Space, or non dashboards in this space at all. Basically the Space-level access is as much granular as you can get today until we implement Object Level Security · Issue #39259 · elastic/kibana · GitHub.

Best,
Oleg

Hi @azasypkin ,

Thanks a lot for the reply. Yes I agree with you that my requirement will need nirmal RBAC since SSO is not a option with Basic license My user need to do the kibana authentication. I will see if I can automate that with some JS. Thanks a lot for all the help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.