Shield with Kibana Passing Login Credentials through URL

security

(John) #1

Hi,

I was wondering if there was a way with Kibana and Shield to pass through the login details through a url?

For example that way I can click a link which brings me to KIbana and Logs me in through Shield?


(Steve Kearns) #2

Hi John,

There is no easy way to do that today. I wonder if allowing anonymous access would address your current needs? That way, any user could access Kibana, but you could control what data they would be able to see, and what they were allowed to do (e.g. read-only except the .kibana index).

If anonymous access doesn't sound like the right fit, can you share a bit more about your needs?


(John) #3

Hey, Thanks Steve. I will have to look into anonymous access to see if that helps. Basically I was looking to create a portal type link from a different members area and not want the user to login twice when they try to go to the dashboards but still making sure the dashboards are protected behind a login.


(Steve Kearns) #4

Hi John,

Thanks for sharing, I now see what you are trying to do. The anonymous access trick may work for showing the "data everyone can see," but won't personalize the view for every user. Hopefully anonymous access is enough in this case.

Longer, term it sounds like what you really want/need is user impersonation, which is an important feature on our roadmap.

Let us know how you make out.


(John) #5

I may have to do that for now and when the user management features on the roadmap get complete to update it to use that.

And to confirm is there no way I can say use curl even to authenticate with shield (which creates a session?) and then access kibana the same way which should see the session and then not show the login box?


(Josh Star Long) #6

Hi John,

Oh I also have the same problem as you. If you manage to get that done please can you share your solution.

Thanks.


(Josh Star Long) #7

Hi all,

I finally managed to address the problem. I used basic authentication on the api of my platform which was doing the call to my elk. That is supposed on my platform, I sign in with the following credentials
username:jstar
paswword:mysecret

To access my elk simply call used "jstar:mysecret@localhost:5601" as such jstar will login to kibana without displaying the dislog box of shield.

Hope that helps some body in the future.


(Tyler Child) #8

I've also been working on a better solution to authenticate a user with our ELK stack without manually plugging in a username password. Similar to Josh I am embedding visualizations in iframes on a custom developed site and in order to authenticate with the ELK stack I have to embed the username and password into the URL as Josh explained. Its a bit dirty seeing the credentials in clear text, in dev tools console, but is what it is.

Has their been any headway in providing a means to authenticate a user, perhaps via a token, or at the very least allow us to encode the username and password.

Thanks!


(system) #9