Limit anonymous user's ability on embedded Kibana dashboard

Elastic Stack Kibana
1

Hi, I'm following this tutorial on Elastic blog to embed Kibana dashboard on my website. I expect only the dashboard to appear using this method. However, the Elasticsearch bar, side bar and some other items also appear.

kibana-dashboard-strange
kibana-dashboard-strange789×340 26.6 KB

The problem with this is that the user can navigate to other dashboards that I'd like to restrict them from accessing.

The steps I follow are:

  1. Create a new user: anomymous_user. Grant it a role with two privileges: (1) Elasticsearch Index privileges (for selected Indices): read, (2) Kibana Custom privileges: Read for Dashboards.
  2. I update the kibana.yml file by adding the anonymous user credentials in the anonymous authentication config. Also, set sameSiteCookies to None.

Is this a problem in generation of iframe or is it something else, any fixes?

2

In the iframe you can prevent UI from showing the sidebar with the embed=true parameter as you can see in this dashboard I have in a public space

https://ela.st/cumbre-vieja-eruption

However, as you can experiment in the dashboard above, nothing prevents you from removing the dashboard path from your browser address bar and accessing any other assets shared in that space with the anonymous user. Of course, it is not self-evident in an iframe, but also not super-hard to guess.