Kibana embedded authentication

Elastic Stack Kibana
1

Hi,

I have a question regarding authenticating Kibana embedded dashboards in another web app and would be grateful if someone could point me in the right direction.

Our current setup is Nginx -> Reverse Proxy -> Kibana and this part is working great when using Kibana on its own. We have our own customer app on the same server hosted by Nginx and I am attempting to embed some dashboards from Kibana inside this app.

As it stands, each customer has their own space in Kibana.

For extra clarity we are using stack version 7.6 and we're on a BASIC licence right now.

So far I have successfully embedded an iframe as per the documentation and I setup BASIC auth in our nginx config file and the mechanism does work, however I have found the following problems:

  • I can only set the BASIC auth key in the Nginx config instead of at runtime - this means anyone with the hostname can access Kibana. I've tried locking it down in the kibana group config but I need to leave enough access for the dashboards to work but this exposes customer data.

  • Setting aside security concerns, the setup above is good for one customer/space, but I need a lot of them. I had considered a hostname per customer/space and I could live with that but I'd be back to the same security problem.

I have also considered hosting kibana on a server behind our public webservers and then making requests internally although I'd have to figure out how to make this work with an iframe (which is probably out of the scope of this topic).

I am a relatively new user to the ELK stack so it could be my lack of understanding and so I thought it wise to ask others before I get in too deep in the wrong direction.

Has anyone ever come up with a solution to this problem? If so I would appreciate any tips/comments to point me in the right direction.

Side note: I am aware there are more authentication options in a higher licence of ELK but at the moment my company won't justify purchasing a licence - although if that is my only option then I'll have to report that back as such.

Thanks in advance
Mark

2

Hey @MarkBreecher, welcome to the discussion boards.

Thanks so much for your detailed question and explanation of your current setup. This makes it so much easier to help!

As you've painfully discovered, putting a proxy in front of Kibana only gets you so far in terms of authenticating to Kibana. I haven't come across an implementation that scales to what you're trying to do. At the end of the day, coding this into the proxy still leaves you open to anyone accessing Kibana if they can guess the hostname / path, unless you have the proxy issue an auth challenge to the user, which you then forward to Kibana. I assume this defeats the purpose of the entire setup though :smile:

In my opinion the "proper" solution is to take advantage of an SSO integration, which you rightly noted is part of a higher license level.

I have also considered hosting kibana on a server behind our public webservers and then making requests internally although I'd have to figure out how to make this work with an iframe (which is probably out of the scope of this topic).

This could potentially work, since your servers would be the gatekeepers to the Kibana instance. I don't foresee this being too problematic from Kibana's perspective with respect to embedding, but we're happy to help if you do try this and run into issues

3

Hi Larry,

Thank you for your reply. I am going to try the webserver behind a webserver approach and see how that goes. Hopefully that will work well enough for now until such time we can upgrade our licence.

Thanks
Mark

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.