Kibana/ES security: full proxy mode?


It seems like Kibana calls ES APIs directly from the browser, through a proxified ES endpoint (e.g.,
/kibana/elasticsearch/_mget...). That Kibana ES proxy allows accessing any ES URL, including plugins (e.g., /kibana/elasticsearch/_plugin/kopf/#!/cluster).

This makes it hard to make Kibana secured and "read-only" using a reverse proxy (for those not opting for Shield), and prevent users from calling ES APIs directly (even though they are proxified by Kibana).

I know that Grafana has a setting "Access" with options:
Proxy = access via Grafana backend, Direct = access directory from browser.

Would not that be possible to have a similar option in Kibana, so Kibana would do server-to-server calls to ES APIs, without exposing all ES functions to end-users?


Our future plans for Kibana are to remove the proxy in favor of a more restricted REST API. Doing so allows for more control over the data and compatibility surface-area with ES.

1 Like