To avoid kibana(with x-pack) authentication in 6.2.3

Hi,

I have one elastic & one kibana node with x-pack installed on it. I have to access kibana UI from one of my web application. But when I try to access kibana through my web application then redirect me to login page of kibana ( I am using an iframe in my application to access kibana). I have to bypass this login page of kibana so is there any options available in x-pack to disable the authentication of kibana or should I pass any post request from my web application to kibana and then it allow me to access main page directly?

Hoping that you understand my exact issue & please suggest me some way to by pass this authentication process.

Thanks

Hi,
Have a read over this thread, and let us know if this helps or where the gap remains: How to disable authentication in Kibana while still using SSL?

Hi jKhondhu,

Thanks for your reply. Given link was helpful but in my case I want x-pack should be enabled & we can access kibana without authentication.

While reading your given link I come to know that he has used nginx for reverse proxy mechanism. I have did the same thing in my application but it is not working for me. Find my nginx configuration below,

@@@@@@@@@@@@nginx.config@@@@@@@@@@@@@@

server {
listen 9500;
server_name 0.0.0.0;

auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/htpasswd.kibana;

location / {
proxy_pass http://localhost:5601;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Here I have redirecting request coming on port 9500 to my localhost:5601(i.e kibana). Also passing 'auth_basic' & 'auth_basic_user_file' parameter but it doesn't work for me. 'htpasswd.kibana' file contain authentication information that I have already set to elastic. But still it is not working. Can you add more or it? where I am doing wrong thing over here? or suggest me some other way to access kibana without authentication.

One more thing, I have used ssl at elastic, kibana as well as in nginx to bypass the authentication but that is not working to for me.

Note: I need x-pack security for monitoring & audit logging feature so I can't disable it.

Thanks.

Rather than simply telling us that it is not working, you really need to describe what is happening. What behaviour are you seeing? How does that differ from what you want to see?

If you want to keep xpack security enabled, but skip authentication, then you have two options:

  1. Enable anonymous access in Elasticsearch. This can be tricky to get right, and and opens up your whole ES cluster to anonymous access, so it is not recommended for your case.
  2. Use a proxy to provide the security credentials to Kibana in order to bypass Kibana's login screen.

You have started down the 2nd path, but your nginx config isn't doing anything to trigger a login to Kibana. Rather, it seems to be adding additional authentication steps auth_basic which is the opposite of what you want.

You need every request that comes through your proxy to automatically have a new header that includes the username & password of the user that should be logged into Kibana.

First you need to create a new read-only user in Kibana that has access to all the visualisations that you want to make available in your application.

Then you want to configure nginx so that it will automatically add authentication headers on the request to Kibana by adding something like this to your nginx config:

        # Send a Basic auth header to Kibana on every request to get past the log - in UI.
        # "bmdpbng6c2VjcmV0cGFzc3dvcmQ="is a base64 encoded string of my service account 's credentials "nginx:secretpassword"

        proxy_set_header Authorization "Basic bmdpbng6c2VjcmV0cGFzc3dvcmQ=";

You need to replace that base64 encoded value with one that matches the new user+password you created.

2 Likes

Thanks Tim ..... After adding above property in nginx.conf file, it's working now :slight_smile:

@DSak and @TimV, do you mind guiding someone new like myself on setting up nginx and complete option 2. Use a proxy to provide the security credentials to Kibana in order to bypass Kibana's login screen. Any links or tutorials would be really appreciated. For my case I would like to embed visualizations on a public website in the most secure way possible but with any login requirements from the website visitors.

Thank you in advance,
George

This blog post describes how to setup a proxy to do OAuth in front of Kibana.

Conceptually that contains two steps:

  • Setting up an OAuth proxy in front of Nginx
  • Using Nginx to bypass Kibana's login process

Those two steps are pretty separate, and you won't need the OAuth bit, but the second step is exactly what you're looking for. In your case you'll want to make nginx listen on an external (public) IP as you expect browsers to connect to it directly. In the blog it's listenining on localhost (private IP) as only the oauth2_proxy is supposed to have direct access to nginx.

Thank you @TimV for your recommendations and blog post with a sample nginx configuration.I know it is a work around and it will not solve all issues. @thomasneirynck shared a ticket asking for a enhancement request to basically provide public facing visualizations and dashboard like many other modern platforms offer. Please upvote or comment if you find it helpful: https://github.com/elastic/kibana/issues/18331

Thank you again,
George

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.