Hi, We have 8.5.2 cluster running with LDAP authentication(xpack security) with basic license. Earlier Versions of Kibana in 7.x
we use the same username and password of elastic to login to kibana but in 8.x versions looks it needs a same elastic uname/pwd to be created agin using _security/user API with the same password of elastic so it passes both kibana and ES authentication.
Can we disable security in Kibana alone to use the same userid/password of elastic to login like in 7.x version of Kibana?
@leandrojmp We are using Elastic basic license (not paid) with httpd proxy LDAP system.
With 7.17 version if we are connecting via kibana it will let us in with the Elastic username and password (any service account associated with the AD group)
But the new 8.x version of Kibana is not allowing us to login with the same uname/password of Elastic.
Earlier teams use their own id to login if they are part of AD group but with 8.x we need to get the uname and password of individuals and added to users for enabling login to them.
Is there any workaround for configuring a service account to kibana so that they can login with their own id and also will single kibana allows multiple logins ? or
is there a way to disable security in kibana alone ?
We don't want the existing system to be disturbed and upgrade to 8.x seamlessly
So your issue is not in Kibana, but with your proxy, you need to check on the proxy software you are using as Kibana has no knowledge of it.
What is the error you are getting? Please share the Kibana log.
Not possible, there is no security in Kibana, the security is configured in Elasticsearch, not in Kibana, Kibana acts as a client to Elasticsearch and the authentication and authorization is done by Elasticsearch.
The service account I mentioned is used by Kibana to authenticate to Elasticsearch, not the users, the users still need.
I'm trying to understand your infrastructure, it looks like in version 7 you didn't have security enabled and the access was controlled by your httpd proxy, but in version 8 security is enabled by default.
Can you share your current kibana.yml and elasticsearch.yml ?
You are correct in your assessment that our version 7x did not have the xpack.security plugin enabled and it seems with version 8x (8.5.2) it defaults to true.
We also do have an http service running on each of the Elasticsearch nodes and they are configured to authenticate users that exist in a specific AD group. The "ad_service_account1" above in the kibana.yml file is in the needed AD group. However, before we were able to log into the Kibana UI with the "ad_service_account1" id, we first had to create that user in Elastic with the security user api (Create or update users API | Elasticsearch Guide [8.5] | Elastic) and assign the user to the admin role.
Is there any way to use the standard "kibana_system" user in the Kibana.yml file and still allow users that exist in an AD group access to the Kibana UI??
These are two different things, Kibana is an Elasticsearch client, the settings elasticsearch.username and elasticsearch.password are the settings where you configure the username and password that Kibana as a client will use to write on its own indices in Elasticsearch.
This is used when you have security enabled and Kibana users still need to authenticate in Elasticsearch.
On the documentation you have this about those settings:
elasticsearch.username and elasticsearch.password
If your Elasticsearch is protected with basic authentication, these settings provide the username and password that the Kibana server uses to perform maintenance on the Kibana index at startup. Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server.
You said you didn't had security enabled in version 7, so you were not authenticating in Elasticsearch, only in your httpd proxy.
Were you using the elasticsearch.username and elastiscearch.password in your settings to talk with the http service running on the Elasticsearch nodes?
No, if you enable security in elasticsearch the users needs to authenticate in elasticsearch, with the basic license the only authentication realm available is the native one, you can't integrate with an active directory without a paid license, so all your users will need to be created in the native realm.
The kibana_system user is used by kibana to write and read in elasticsearch, not to authenticate users. To authenticate users Kibana acts as a proxy as described in the documentation.
Ok, I think I understand. We are currently using Elasticsearch basic authentication and have 2 user IDs setup in Elasticsearch (admin/normal). We have the https service running on all Elasticsearch nodes as well and that is excepting all API calls. The LDAP authentication (AD group membership), is configured in the https service and that will proxy the api call to use the appropriate Elasticsearch user credentials to Elasticsearch service.