Kibana Shields

Hello,

I'm trying to create authentication page before accessing Kibana index page,
then access kibana's fonctionnalities (get, delete, update dashboards...) depending on wich role the user have.

I looked on the "Kibana's shields" guide for creating users and roles on Kibana 4
but i don't understand how to do it or wich conf files to update??

Shield is an Elasticsearch plugin, so to configure users and roles, you have to do that in the Elasticsearch config/shield directory (e.g. roles.yml). The Shield guide talks about how to configure users and roles in detail, for instance in the Authorization section: https://www.elastic.co/guide/en/shield/current/authorization.html

All configuration changes in Kibana 4 that are required to work with shield are in kibana.yml, but are limited to configuring the right Kibana username and password to talk to Elasticsearch... the rest is handled by ES+Shield, and are described here: https://www.elastic.co/guide/en/shield/current/_shield_with_kibana_4.html

Note that at present Kibana 4 just presents a basic authentication login screen to users and simply passes those credentials to ES+Shield to authorize (or reject) access to the data. In 4.2, we're working on a dedicated login screen and user session support: https://github.com/elastic/kibana/issues/3904

1 Like

Thanks for the reply,

i created a roles.yml file in /config/shield. this is its content:

# All cluster rights
# All operations on all indices
admin:
  cluster: all
  indices:
    '*': all

# Monitoring cluster privileges
# All operations on all indices
power_user:
  cluster: monitor
  indices:
    '*': all

# Only read operations on indices
user:
  indices:
    '*': read

# Only read operations on indices named events_*
events_user:
  indices:
    'events_*': read

    # Only GET read action on index named events_index
get_user:
  indices:
    'events_index': 'indices:data/read/get'

what i have to do next to see the authentication screen?
And to be able to access kibana through différents roles??

Sorry but the doc is not clear..

Thanks in advance.

In general, there are two places you have to modify:

  1. Shield configuration files living in elasticsearch config/shield directory
    https://www.elastic.co/guide/en/shield/current/_shield_with_kibana_4.html

  2. kibana.yml in your Kibana 4 installation. Instructions here:
    https://www.elastic.co/guide/en/kibana/current/production.html#configuring-kibana-shield

Looking at your roles file, for one, you're still missing the kibana4_server role. Once you have that, make sure to follow instructions in step (2) above.

Hi,

Still not working..
I'm asking for the result of this configuration..
After this config, i have to specify the user and password in the kibana.yml file before each start of Kibana? like this?

# If your Elasticsearch is protected with basic auth, this is the user credentials
# used by the Kibana server to perform maintence on the kibana_index at statup. Your Kibana
# users will still need to authenticate with Elasticsearch (which is proxied thorugh
# the Kibana server)
# kibana_elasticsearch_username: user
# kibana_elasticsearch_password: pass

And i'm asking for the password declaration.. where to configure the user's password??

Ensure the kibana4_server role exists in the roles file.

Then, according to the Shield guide, add a user:

bin/shield/esusers useradd kibana4_server -r kibana4_server

This command will prompt you for the password.

1 Like

This makes sense :smile:
I'll try this later.

Thanks