I have created a custom realm for X-Pack which uses spring-security-oauth2 based web application for authentication and authorization. This realm is working perfectly with elasticsearch i.e. user is only to able to do only specific things he can do . However I want to access Kibana via such a user in similar way to elasticsearch i.e. my request to Kibana at http://localhost:5601/app/kibana with headers that I use in custom realm (User and Authorization) should be authenticated as user has proper access token.
The necessary configuration in ES is shown below :
(elasticsearch.yml)
What authentication schema do you use for the Authorization header (Basic, Bearer etc.)?
At the moment Kibana Security supports only Basic schema and if it sees anything else, user will be redirected to the login page. If you use Bearer then you can try to disable security in Kibana like explained here: Disable login in Kibana 5.3.
Hi @azasypkin,
For OAuth , I am using Bearer schema for Authorization. However when using Kibana behind a nginx reverse proxy with passing Authorization with Basic header for Kibana along with other headers which are used for OAuth authentication and authorization in Elasticsearch, then I am properly logged in to Kibana screens with the appropriate user configured in the third party authentication system. Just want to ask ,is this correct thing I am doing ?
I'm not entirely sure how you map user's OAuth token to Basic credentials (that is essentially base 64 encoded username:password pair)?
If your custom realm only needs User and Authorization: Bearer *** it feels like you don't need Kibana security at all (only ES security with your realm is needed). Am I missing something?
Hi @azasypkin,
I am not mapping user's OAuth token to Basic credentials. The OAuth token is used to authenticate the user by the third party application (spring-security) and return the roles this user has in elasticsearch. This user is then authorized based on these roles. The Basic credentials are only needed to bypass Kibana login which are passed as Authorization header with reverse proxy. For this , I have changed the whitelisted headers to Tenant and AccessToken from User and Authorization.
I see, it seems that the best solution for you would be to disable security in Kibana (via xpack.security.enabled: false in kibana.yml) and use User and Authentication: Bearer *** headers forwarded by ngnix instead.
Otherwise you may observe weird behavior: if user can't be authenticated via your custom realm for some reason, then it will act as the user configured in Basic *** that may or may not be what you want.
Do you have any reason to keep security enabled in Kibana?
@azasypkin thats looks right. I think tried to disable this in Kibana but got some error in Kibana log which I didn't dig deep into. However I will give your suggestion a try tomorrow and reply what was the outcome of it.
And it this works then there is no such reason for us to enable security in Kibana.
Thanks for your suggestions.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.