Hi Team,
I have deployed ELK on Kubernetes and am currently using OIDC integration for SSO with an Elastic Platinum license. However, the licensing cost is exceeding our budget. I’m exploring options to exclude the license while still maintaining authentication. Could you please suggest any potential solutions?
I have hound this on internet, but not sure whether it will work or not
How to setup Nginx to Authenticate users for Elasticsearch and Kibana
Thank you in advance!
Hello,
I'm not sure if this is possible. Some features are under paid license.
I have found this on internet
How to setup Nginx to Authenticate users for Elasticsearch and Kibana
please let me know if it is possible.
That article seem to describe how to offload authentication to nginx, which might allow you to set up SSO (have never done so). It does however not enable security in Elasticsearch so you would have no authorisation and all users would be able to do anything. If you need authorisation combined with authentication you need to enable security in Elasticsearch, which requires a commercial license for SSO.
That is not possible, to have OIDC/SSO in Kibana you need a paid license, you still can have authentication in Kibana with the basic license, but you need to use the native realm, where the users are created and managed directly in Elasticsearch.
The tutorial in the link you shared also is not even required anymore, it is jut configuring the basic authentication on NGINX, this can be done directly in Elasticsearch and Kibana with the Basic license.
Be extra careful to know what features you are using, even you might not know you are using them. And that Elastic can and does evolve whats included in each license, e.g. recent a change to synthetic _source, which is now Enterprise only from 8.17+, but was not so before.
On the specific Q, you will know how manageable it is for your own org, and if its even allowed, but just managing auth/access yourself using the built in users/roles/... may be doable, albeit likely a lot of work to setup first time, but on ongoing BAU basis maybe not so horrible, depending on size of team to manage this.
IMO if #users is single figures, easy, if double figures, annoying but possibly doable, if triple figures, that would be "forget it" territory for me..
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.