PKI authentication for Kibana

I set up PKI authentication on elasticsearch, which is working fine. Client auth is required for all http and transport access to the elasticsearch cluster from browsers, logstash, kibana and other elasticsearch nodes.

However, I don't see how to require PKI client authentication to access Kibana from a browser. Is PKI authentication to Kibana supported and documented somewhere?

Is this what you are experiencing? https://github.com/elastic/kibana/issues/6119

Seems related maybe, but I'm not really sure what the other ticket is asking for exactly.

I need the users to authenticate using PKI when connecting to Kibana via a browser. I suspect this is a common requirement for government customers.

We have a customer looking to buy x-pack now, but they want users authenticating using PKI. They probably won't care as much about the servers using PKI to authenticate with each other.

Per that ticket, it doesn't appear PKI authentication is fully supported within Kibana without including the kibana_server credentials in the kibana.yml, which obviously isn't ideal.

It might be possible to put Kibana behind a proxy like Nginx which could augment the certificate with basic auth.

Even if the kibana_server credentials are included in the kibana.yml, we will still need to use a reverse proxy to implement PKI user authentication, correct? This is what I'm seeing in my test.

There is a comment in the Kibana.yml file that says "Your Kibana users still need to authenticate with Elasticsearch, which is proxied through the Kibana server." I have elasticsearch setup to handle PKI auth, and it works well when connecting from a browser directly into elasticsearch's 9200 port. But when I try to authenticate through Kibana's 5601 port, it will not accept PKI auth, but insists on user/password.

Is there any way to require PKI user authentication for Kibana users without using a proxy?

If DoD were to use ELK as an enterprise solution, Kibana would have to first support PKI authentication. Seems like this would be a worthwhile feature to build into Kibana so that custom solutions do not have to be added to each instance.

http://www.dtic.mil/whs/directives/corres/pdf/852002p.pdf

1 Like