Restricting kibana access - iframe

Hi,

We have a kibana instance and we are using kibana iframe embedding into our application page. This is working fine, the problem that we are facing is that we have different clients and for every client we have created different dashboards.

Now we know that if we want to bypass login in the iframe we need to use anonymous user, so I have implemented that as well. So now the anonymous user has access to all dashboards.

What we want to achieve is that the kibana URL shouldn't be accessible from public network, but it should be accessible from our DNS for e.g. lets say our application's URL is abc.com and kibana is mapped to kibana.com.

We want to only access kibana.com when it is accessed from abc.com i.e. accessed from the iframe, kibana.com should not be accessible from public networks, only from abc.com.

Now I know this is not a typical kibana issue, there is networking which needs to be done, but since I'm stuck on this issue for a very long time, I'm writing here in hopes of getting any kind of help.

By "accessed from abc.com" do you mean if kibana is embedded as an iframe on abc.com ?

You can configure these things using the x-frame-options header X-Frame-Options - HTTP | MDN , but I'm not sure it's actually what you want - it relies on the client being "honest" about where it's coming from, and it's very easy to circumvent this check.

So is your question about making it impossible to stumble over the other dashboards by accident, or is it about making it impossible for one client to snoop into the dashboards of another client?

If it's the latter, then you will need to implement a proper access control which is possible even within an iframe.

Hi @flash1293,
Yes that's right, I'm embedding the iframe in abc.com and as we know that we can have only one anonymous provider per kibana instance.
My main concern is that one client may accidentally stumble upon the data of other client and I need to restrict that because the anonymous user have access to all dashboards pertaining to several clients.
Regarding the access control you have mentioned, if you can suggest how to do that it would be really helpful for me.
Or if there is any way to restrict dashboards it would be useful to know as well.

Thanks

It seems like the best approach would be to have a user per client (see Authentication in Kibana | Kibana Guide [8.4] | Elastic), then put the dashboards per client into separate spaces and restrict the user per client to only have access to their respective space. Spaces are the right level of isolation for multi tenancy: Spaces | Kibana Guide [master] | Elastic

Thanks for the response, but in this solution the client would need to login I guess to see the dashboard everytime.
I wanted to bypass authentication on the iframe, for bypassing we need to use anonymous authentication and that can only be one per kibana instance.
Is there anything else I can do?

You can do the spaces thing and only send each client to their own space. However, I highly recommend putting proper authentication in place. You can use single sign on approaches if the client is already authenticated elsewhere.

Hi @flash1293 ,
Even if I create spaces for different users, when I use anonymous authentication in iframe, I can only give credentials of one user in the kibana.yml.
Can you explain this a little bit more, maybe I'm not able to understand this properly?

You need to adjust the iframe url to point to the appropriate space for each user

Hi @flash1293
I tried that as well, but as there is one anonymous user and one role for that anonymous user, I have to give access to all spaces to that role. So still the client can stumble on to other client's data.
I'll explain how I have configured anonymous access in iframe, I created a role and gave that role the access to see dashboards. I assigned one user to that role and used that user's credentials in the kibana.yml in auth providers section for anonymous.
I really appreciate your help on this, if there is something else I can try please suggest or if I'm doing this all wrong you can correct me.

Hi @shivendra95,

I have seen examples where a keycloak was configured in front of the Kibana instance. Authentication was disabled in Kibana and sso was provided with keycloak. I have not dont this myself, but maybe it might be a solution for your problem.

Willem

But even for keycloak, initially the user needs to be logged in. I don't think in iframe I will be able to bypass that, the login page would still come

If you want to restrict access, then the data source needs to know who's trying to access in the first place. This is a fundamental requirement. I suspect the user is already logged in in your system, you can try to re-use that, with a solution like keycloak in front of Kibana.

Hello,

We have a similar use case to @shivendra95. We would like to know, what is the recommended approach for interactive users accessing Kibana embedded in iframe while ensuring they do not have to explicitly enter passwords as they are already authenticated in our admin portal? We had planned on using API key authentication with some middleware, but see that it has been deprecated for interactive users.

Some requirements:

  • No one should be able to access our Kibana URL directly (without providing credentials). Must be accessed through our admin portal.
  • Users authenticated in admin portal will not need to enter credentials.

Thanks!