Hi,
I am trying to embed kibana dashboard in to another URL.
My kibana URL is dashboard.example.com
My other URL is reports.example.com (SSL enabled)
My kibana is behind apache reverse proxy ( SSL is enabled only on proxy )
I am sending the authorization header to authenticate to kibana as I have enabled basic authentication.
I have set following in kibana.conf
server.publicBaseUrl: https://dashboard.example.com
xpack.security.secureCookies: true
xpack.security.sameSiteCookies: None
to support cross domain cookie
I see in the browser response from kibana is to set cookie SID as
set-cookie: sid=Fe26.2**e1ba7cb84736655fec7072b6c65bad1f0a3f9ec5927e5dfb473b11e742e27950apNm4sUug-u8UdFnBWN2PQdoyoGjU3ptQcaHbBuvovxQ9529BT_Jc6JMka292NyMchgSSs7IIYRlCj0wf5tHa; Secure; HttpOnly; SameSite=None; Path=/
Still browser mozilla rejects the cookie saying
Cookie “sid” has been rejected for invalid domain.
Cookie “sid” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read SameSite cookies - HTTP | MDN
Kindly suggest how to troubleshoot this or any other working solution for this issue ?
Thank you very much for the reply. Basic authentication is enabled at Kibana level. My report.example.com is a html page with ajax code which has iframe src https://dashboard.example.com and same ajax code sends authorization header to satisfy the basic authentication of kibana. ( My proxy is just to offer SSL ) this request (https://dashboard.example.com) hits apache reverse proxy which offers SSL and then reverse proxy the connection to kinaba server on http://10.10.10.1:5601/
Thanks for sharing the code, it helps to better understand what you're trying to accomplish. Let's try to go through this together.
The first problem I see is that you're trying to log in user to Kibana using both internal/security/login endpoint (the endpoint that Kibana's own login page uses) and via Authorization HTTP header. These won't work together and Authorization header will always win.
The problem is that when you authenticate user via Authorization HTTP header Kibana won't create any session for you, the sid cookie won't be used (and might be even cleared if both sid cookie and Authorization headers are presented). In the embedding/iframe scenario you might not need a session at all, but this header should be attached to every request and you cannot really do this without a proxy that would do that for you.
But what you're doing is actually can be better done with the built-in Anonymous access. This way you will configure credentials in the kibana.yml and won't need them right in the HTML (which is obviously not recommended). Would that work for you?
Thanks a lot for the reply. You made the thing very clear. Now I have enabled the anonymous access and successfully able to embed the dashboard. However a smart user will copy the iframe source URL and then view the kibana dashboard page, to check other available dashboards. How I can restrict the user from listing all the available dashboards.
Thanks a lot for the valuable information and support. I have gone through the webinar. it was really helpful. However after doing the configuration as suggested I realized that users will be restricted to all the dashboards available with new public space. What I wish to is ideally to have separate space for each user and also want to embed the separate dashboard for each user. I do not want users to get access to each others dashboard. However I think I can manage with single Space with below plan.
create new role "DashRole"
create new space "dashboard"
create anonymous user "anonymous1"
create all the dashboards under Space "dashboard"
Prevent user from listing all the available dashboards within Space "dashboard"
if user sends request on exact dashboard ( i.e. user knows UUID of dashboard ) then only load the dashboard
Please suggest on point #5 & # 6.
for point #5 if I disable the feature "Dashboard" and "visualize library" from Space & at the same time allowing access in the Role, then in that case the Dashboard URL does not work. ( referring to Space-control-feature
Well, that sounds like you want a normal RBAC, not anonymous access. And the only way to make sure one user cannot really access content of another users is to force them to provide any sort of credentials (either username/password or integrate with SSO).
Prevent user from listing all the available dashboards within Space "dashboard"
if user sends request on exact dashboard ( i.e. user knows UUID of dashboard ) then only load the dashboard
Unfortunately, this is currently not possible in Kibana. You either give access to all dashboards in a particular Space, or non dashboards in this space at all. Basically the Space-level access is as much granular as you can get today until we implement Object Level Security · Issue #39259 · elastic/kibana · GitHub.
Thanks a lot for the reply. Yes I agree with you that my requirement will need nirmal RBAC since SSO is not a option with Basic license My user need to do the kibana authentication. I will see if I can automate that with some JS. Thanks a lot for all the help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.