Shield 2.3.3 & Kibana

security

#1

Hi,

First of all, i use elasticsearch 2.3.3, kibana 4.5.1, shield 2.3.3 and i can't (at least for the moment) upgrade version.

So I'm new with shield and i'd like to :
--> authenticate user without the use of SSL
--> allow or not to use the discover part of kibana
--> allow or not to use the view of some visualization
--> Use the plugin shield for kibana (actually i can't when i launch kibana an error occur on the existence of ssl option)

And all this with the real Native.

I've already created user and roles , and succesfully filter on index.

Would you know how to do this four actions ?

Thx a lot.

Vivien


(Lee Drengenberg) #2

Hi Vivien,

--> authenticate user without the use of SSL

you cannot use Shield in that version without SSL. Here's another post on it;


In the 5.0 stack SSL is not required.

--> allow or not to use the discover part of kibana

There is not any supported way to disable Discover. I think some people have put a proxy in front of Kibana to block requests to /discover, but I don't know any details on that approach.

--> allow or not to use the view of some visualization

I think you could use document level security to create a role which does not have access to some visualizations. I'll try to do this and update with the results.

--> Use the plugin shield for kibana (actually i can't when i launch kibana an error occur on the existence of ssl option)

Yes, you must use SSL with the Kibana Shield plugin in Kibana 4.x.

Regards,
Lee


(Lee Drengenberg) #3

Hi Vivien,

On your question about allowing the use of some visualization, wouldn't you really need to prevent access to the data? Otherwise a user could just create a new visualization and name it something else.

One common approach is to have a second Kibana instance with it's own index (like .kibana and .kibana2). Index patterns, Saved Searches, Visualizations, and Dashboards are all saved in the kibana index, so have two instances allows different groups of users to see different things.

But I did try using document level security since visualizations are documents in the .kibana index.

First I created a query to filter out a single visualization by it's _id field. I used the Dev Tools Console in Kibana 5.0 but it would be "Sense plugin" in Kibana 4.x.

GET /_search
{
  "query": { 
    "bool": { 
      "must_not": [ 
        { "term":  { "_id": "Apache-HTTPD-CPU" }}
      ]
    }
  }
}

Then I created a role namedKibanaCpuRole with that query in it and all privileges on the .kibana* index. See;
https://www.elastic.co/guide/en/shield/current/setting-up-field-and-document-level-security.html

Then I created a user with that role plus a role that has access to the data.
When I log in to Kibana as that user and I go to Visualize, Load, I don't see that visualization. But if I try to save a visualization with that name, I get an error. I don't know if I overwrote the visualization or not.
So, on the surface, from this short test, it appeared to work. But again, this doesn't prevent me from creating a visualization that displays the exact same data.

The docs page I referenced above says;
"Users with document and field level security enabled for an index should not perform write operations."
So I would say the steps I did above are NOT SUPPORTED and probably not the best solution anyway.

Regards,
Lee


(system) #4