QUESTION : Disable access to Kibana Console when using ELK inside a webapp

Elastic Stack Kibana
1

Need some proper guidance on setting up security in ELK.

Problem Definition:

I have a webapp that will display Kibana reports and dashbaords. The ""iframe" url is embedded to various menu/submenu in my app that will display reports.

I am able to get this to work. However, when users go to app.domain.com:5601 they can access the console... this is a serious issue I would like to address.

I want to restrict users from accessing the console and just be able to view kibana reports. Any suggestions appreciated.

I have taken many routes to address this problem with (TLS on ES, and KIbana), securing (Kibana to ES) etc which I am not sure is really addressing my core problem.

Thanks in advance.

2

Can you share a screenshot showing the problem? I'm unsure how the users might be doing this.

Thanks,
Matt

3

kibana-1
kibana-1979×456 9.21 KB

Kibana-Report-shown
Kibana-Report-shown1046×441 23.6 KB

1st screenshot shows , that when I clock on the buttons above (it invokes kibana report)....

2nd shows a working kibana report

  1. shows how when the user updates the url and change it to domainname:5601, then can go to console.

I purposefully did not show the url but I am sure its illustrative.

kibana-wide-open
kibana-wide-open884×640 46.4 KB

Here is what I have done.

  • When I enable xpack.security on elastic and kibana, then, clicking on the report buttons puts me on a login window. I prefer the users authenticated behind the scenes and the reports shows up.

  • I assume, with xpack enabled, the cannot reach the console/management pages by simply going to 5601. I can test it. But wanted to confirm as well.

Thanks in advance.

4

The first thing I recommend is making sure Kibana roles are set appropriately - https://www.elastic.co/guide/en/kibana/current/kibana-role-management.html

Past that, there still may be urls that you want to restrict. I'd recommend using a proxy server in front of kibana to address that.

Thanks,
Matt

5

I am looking for a solution using an API call with an encrypted id/password credentails being passed to access the kibana reports.

In my app, all registered users are OAUTH'd into the app, once they are logged in, they all have access to all reports. So having some sort of API call with a KEY that authenticates and displays the report is ideal.

Any such options/steps you can suggest?

thanks in advance.

6

I assume you've implemented an OAUTH based authentication mechanism. Here are some ways to authenticate with kibana - https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html I'm not sure which options suits your needs best.

7

so I need to have
TLS - between kibana and elastic
TLS- between kibana cluster (currently I don't have a cluster) but if I did...
TLS between client (web browser) and elastic
and then test the API based option?

Is that the list of steps? I have some implemented but would like to know the overall steps to get this accomplished.

8

@tenet_testuser1 Yes, you want security enabled on your ES cluster and between the cluster and Kibana. I would do that first and then work on automating authentication with kibana.

9

@mattkime
Thanks for your pointers... with your help and the amazing post and links in these posts. we were able to achieve what we wanted.

thanks again.

posting the link for my fellow future kibanites...

1 Like
10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.