Session mangement in kibana server


(Sandhya Kumari) #1

If a user say (bob) logs in to kibana and then another user say (Alice) also logs in to kibana. How does kibana create dedicated sessions for both of them logged in to kibana at the same time? Moreover how does it differentiate those sessions and how does it kills those sessions when the user logs out of kibana?


#2

Hi @sandhya_kumari,

If basic authentication is used then session information is encrypted and stored into the cookie, so it's purely client-side session. This cookie is sent by the browser with every request, so Kibana can decrypt it and properly authenticate the user.

Depending on the value set in xpack.security.sessionTimeout session will auto expire after a predefined timeout or/and when user logs out (session cookie is cleared).

The saml authentication and logout are more complex, feel free to read through and ask here if you still have any questions.

Best,
Oleg


(Sandhya Kumari) #3

ok.. I got it but when we create a user with the user mangement api , then the post request goes to say(localhost:9200/_xpack/security/user/jacknich) which is the port of elasticsearch, so is the user created in kibana server or the elasticsearch ?. If kibana why we are submitting the request to 9200 and how does those users are seen in Management/security/users tab in kibana?


(Sandhya Kumari) #4

One more query.. You said that it is purely client side session , so no session occurs in the server, then how does kibana server manages the requests of different users without overlapping them?


#5

ok.. I got it but when we create a user with the user mangement api , then the post request goes to say(localhost:9200/_xpack/security/user/jacknich) which is the port of elasticsearch, so is the user created in kibana server or the elasticsearch ?. If kibana why we are submitting the request to 9200 and how does those users are seen in Management/security/users tab in kibana?

One more query.. You said that it is purely client side session , so no session occurs in the server, then how does kibana server manages the requests of different users without overlapping them?

When you create user through User Managemenet API all relevant information is stored in Elasticsearch, including username and password hash. When user logs in, Kibana encrypts username/password pair and stores it in the cookie. Then when Kibana receives subsequent requests, it decrypts cookie, extracts user information and asks Elasticsearch to verify whether username/password pair is correct. If it's then Elasticsearch returns all information that Kibana may want to know (e.g. user roles).

That's how basic authentication works internally right now, that may and most likely will change in the future.

Best,
Oleg


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.