KIbana : Bypass Autentication for ifames to share in dashboard


(Rishabh) #1

I am using Kibana v6.4.3. I want to share the visualizations created in Kibana as iframes but I don' t want the user to authenteciate to see the dashboards. I read that hitting the POST API - /api/security/v1/login , we get a session_id (sid) which can authenticate the user. I am able to get the session_id, but when I pass the same in session storage in my browser, Kibana asks for login. Username and password as passed in request body. Please let me know what is the issue ?


(Bhavya R M) #2

Hi,

Can you go through this thread and see if it helps? We have had a few discuss posts about it.

If it doesn't work - let me know.

Thanks,
Bhavya


(Rishabh) #3

Hi @bhavyarm,

I have already gone through these discussions. I am able to get Kibana server to respond with the cookie header, but when I set the same in my browsers session storage manually and try running my iframes code, Kibana's login screen is shown.

Is there any issue in my work around ?

Thanks,
Rishabh


(Rishabh) #4

Hi @bhavyarm,

What I am trying to do is integrate these Kibana iframes into my web-application. Suppose its hosted on https://xyz.com, and the iframes load an external page of Kibana, https:/abckibana.com. How can I set the cookie to the URL from the iframe ,i.e, Kiabnas URL ?


(Bhavya R M) #5

@azasypkin can we please get some help here?

Thanks,
Bhavya


(Rishabh) #6

Hi @azasypkin @bhavyarm

Please address the issue in this thread.

Can this be a valid approach to login Kibana iframe.

As user enters my web-app URL, he is redirected to Kibana endpoint, were I can make the login API call to get the session cookie. Now after getting and setting the cookie, I can redirect the user back to my web-app URL. This is just a work around which I think might work.

Please share your views or a better solution to get this work.

I have seen so many discussions threads where developers are getting stuck with the same issue. There is no proper elasticsearch documentation to address this.


#7

Hi @rishabh1,

I think the common way to solve this right now is to use proxy in front of Kibana, see Auto-authenticating to iframe-embedded Kibana dashboard. Doesn't that work for you?

Best,
Oleg


(Rishabh) #8

Hi @azasypkin,

I tried to set proxy in front of Kibana, but in that case it gives me :slight_smile: `

{"ok":false,"message":"Unknown cluster."}

I also tried to pass below mentioned proxy header as well :

proxy_set_header X-Found-Cluster <cluster-id>;

For cluster-id, I passed the cloud-id, provided on elastic-search cloud. I would like to mention that I am using elastic-search and Kibana's cloud deployment environment. How can I make this work ?

Best,
Rishabh


#9

For cluster-id, I passed the cloud-id , provided on elastic-search cloud. I would like to mention that I am using elastic-search and Kibana's cloud deployment environment. How can I make this work ?

Hmm, I think cloud-id isn't the same as cluster id, I haven't used Kibana in Cloud much, but I guess cluster id is the first part of the Kibana URL, see https://www.elastic.co/guide/en/cloud-enterprise/current/ece-administering-endpoints.html.


(Rishabh) #10

Hi @azasypkin,

I passed the cluster-id as per the link, but still I get the same error.


#11

Hi @rishabh1,

I just setup Kibana in Cloud and accessed it though ngnix with cluster-id "extracted" from Kibana endpoint URL - everything worked as expected for me. Please double check that you haven't accidentally mistyped cluster-id. If your ngnix config is correct , but it still doesn't work there may a different issue, hard to say without any debug info.


(Rishabh) #12

@azasypkin

So my Kibana cloud URL is https://6786d9147a9848f9a0fe0cf7a71a7945.us-east-1.aws.found.io:9243 , so my cluster id will be 6786d9147a9848f9a0fe0cf7a71a7945

Also, it would be a great help if you can share your nginx congif , maybe there is a issue in reverse proxying Kibana in my web app.

Best,
Rishabh


(Rishabh) #13

@azasypkin

Below is the nginx config I am using

server {
        listen 443 default_server ssl;
        server_name analytics-lms.xxxxx.com;

        ssl_certificate         /etc/certs/ssl.com/xxxxx;
        ssl_certificate_key     /etc/certs/ssl.com/xxxxx;

        ssl_prefer_server_ciphers On;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:xxxxxxxx:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

        root /var/www/html/xxxxxxxx/xxxxx/;
        index index.html index.htm;

        location /{
                root /var/www/html/xxxxxxxx/xxxxx/;
                index index.html;

                proxy_set_header  X-Found-Cluster "6786d9147a9848f9a0fe0cf7a71a7945";
                proxy_set_header  Host $host;
                proxy_set_header  X-Real-IP $remote_addr;
                proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass https://6786d9147a9848f9a0fe0cf7a71a7945.us-east-1.aws.found.io:9243;
                proxy_set_header Authorization "Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
        }

#14

So my Kibana cloud URL is https://6786d9147a9848f9a0fe0cf7a71a7945.us-east-1.aws.found.io:9243 , so my cluster id will be 6786d9147a9848f9a0fe0cf7a71a7945

Yeah, looks correct.

Also, it would be a great help if you can share your nginx congif , maybe there is a issue in reverse proxying Kibana in my web app.

Here are relevant bits from my test config (I'd don't use TLS in ngnix and it's probably easier to make it work without TLS first):

http {
    ......

    server {
        listen       80;
        server_name  localhost;

        location / {
            proxy_pass https://{some-cluster-id}.europe-west3.gcp.cloud.es.io:9243;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_set_header X-Found-Cluster {some-cluster-id};
            proxy_set_header Authorization "Basic {string generated from `echo -n username:password | base64`}";
            proxy_cache_bypass $http_upgrade;
        }
    }
    ....
}

(Rishabh) #15

@azasypkin

Thanks for the help.

Using the above nginx configuration, it redirects me to https://analytics.com/app/kibana, which opens KIbanas web application rather than opening my web application and showing charts in iframes?

If we are able to solve this. my web app would work just fine :slight_smile:

Best,
Rishabh


#16

Well, I'm not sure I understand what you're trying to achieve then, I thought you have your web app that is hosted somewhere, then in your app you create iframes (see screenshot below) that point to the cloud Kibana through nginx proxy that automatically authenticates users.

Screenshot%20from%202018-12-04%2010-19-27

Is that correct? If yes, what doesn't work?


(Rishabh) #17

@azasypkin

That is exactly what I am looking for, but when I hit my web app URL (https://analytics.com) it should open my web application and iframes should be visible in my web-app, right ?
But instead of that, it automatically redirects me to the URL (https://analytics.com/app/kibana) which shows Kibanas web app's home page not my web-apps.


#18

That is exactly what I am looking for, but when I hit my web app URL ( https://analytics.com ) it should open my web application and iframes should be visible in my web-app , right ?
But instead of that, it automatically redirects me to the URL ( https://analytics.com/app/kibana )

It sounds like an issue in your nginx config that isn't related to Kibana since you use the same domain and path for both your app and Kibana, your proxy may need to define sub-path (e.g. kib) for Kibana and rewrite it (effectively remove) before forwarding request to Kibana, e.g. something like this (didn't verify, so please, consult nginx docs for that):

location /kib {
      .....
      proxy_pass  https://kiaban-cloud-endpoint-url:5601/;
      rewrite ^/kib/(.*)$ /$1 break;
}