User login with limited Kibana view, dashboard and data access


(Jeremy Colton) #1

Hi,

I need to create a dashboard for each of our users into Kibana with the following requirements:
a) SSL Login, retries, forgotten password, captcha
b) Only the dashboard tab is visible so no Discovery, Visualization, Settings etc.
c) The dashboard has fixed visuals/graphs that can only be edited by the Admin
d) The data in the visuals is specific to the logged-in user's data.
e) The Admin user can run queries on ALL the indexes.

How is the above possible?
Or should I write my own UI and use the Elastic Search REST API to fetch data/user?

Many, many thanks.


(Tanya Bragin) #2

You can do some of this today by using Shield with Kibana. Shield enforces granular data-level restrictions for any client connecting to ES, including Kibana. So you can set up users and roles, such as "admin can read/write all indices" and "such and such user is restricted to only these actions on only these indices, documents, and fields". The Shield Kibana plugin in 4.4 also provides a native login screen, session durations, logout button, etc.. (no captcha and forgotten password functionality yet).

So (d), (e) and part of (a) are available. However, at the moment there are no view-level restrictions in Kibana, we are tracking some ERs related to that (e.g. #4453) and are thinking of the best way to approach it -- we'd love your comments and feedback.

Some of our customers set up separate instances of Kibana for the user groups they support, which provides isolation of saved objects between groups. For the admin/user workflow you'd need true read/write permissions on the dashboard. One thing that comes to mind is that it's not hard to automate creating of dashboards and visualizations by writing against the .kibana index, so perhaps you can set up jobs to automatically refresh Kibana objects so that if the users "mess up" the setup, you have a periodic job that resets it.


(Jeremy Colton) #3

Hi, thanks so much for your fast and detailed reply.

We will need 100s of client logins so having separate Kibana instances isn't workable. The client's UI must be minima and be view-only with no permissions to delete/edit/add anything at all. Only the Admin user can update visuals on a client's dashboard.

Since Kibana/Shield can't meet my req.s I shall build a separate UI that will use the Kibana REST API instead.

  1. So, should each client have their own index?
  2. If so, can myself as admin run queries on ALL the indexes?
  3. Does Shield have a REST API as well that I can use to ensure authentication and authorisation for a given client and access to their index?
  4. Kibana's graphs/visuals are open source as Javascript libraries?

Many thanks.


(Tanya Bragin) #4

Since Kibana/Shield can't meet my req.s I shall build a separate UI that will use the Kibana REST API instead.

That or embedding Kibana visualizations/dashboards as iframes could be an option for a read-only view.

So, should each client have their own index?

I think this depends on what type of restrictions you need. If the data each client needs to see is separate from each other, you could put it in their own indexes. However, Shield supports document and field level restrictions. So if you have to share an index and segregate data by _type or some other attributes, you could use document level permissions to limit access to a subset of documents in an index.

If so, can myself as admin run queries on ALL the indexes?

Yes, that should be doable with Shield.

Does Shield have a REST API as well that I can use to ensure authentication and authorisation for a given client and access to their index?

In the current shipping version of Shield permissions are configured via config files, so you'd need config mgmt tools to automate it. In 5.0 we are adding a REST API to add users and manage roles within shieild.

Kibana's graphs/visuals are open source as Javascript libraries?

Yes, we have our own OSS visualizations library, called vislib we are currently using.


(Jeremy Colton) #5

Do you have a link that describes how to embed a dashboard as an iframe?
I assume it's "read-only" since the iframe doesn't contain any edit/delete buttons?
This sounds like a great solution!


(Tanya Bragin) #6

There is a little bit of information on embedding a dashboard as an iframe here: https://www.elastic.co/guide/en/kibana/current/dashboard.html

but it applies to individual visualizations too... in a nutshell, there is an iframe link in the "share" button that you can play around with and see if it works for you.


(Jeremy Colton) #7

Hi, embedded dashboards look good for my needs.

If I want to restrict dashboard access via publisher id, is it better to use the "_type" parameter for this value OR is a simple publisherId field enough to provide access restriction using SHIELD?


(Tanya Bragin) #8

Awesome! Glad to hear it.

"_type" has some new restrictions starting with version 2.x (see ES 2.0 breaking changes). So far in upcoming ES 5.0 breaking changes, I don't see any additional restrictions for types, but it could happen. It's really up to you, but imho, if you can get away with using a field to demarcate your publishers, you probably have a more general solution.

One thing to keep in mind is that you currently can't aggregate or filter on types in Kibana (again, due to some changes in Elasticsearch), w/o implementing some workaround that involve writing directly to the .kibana index, so if it's important to you, don't go with types! https://github.com/elastic/kibana/issues/5684


(Jeremy Colton) #9

Many thanks :slight_smile:

I found in roles.yml that I can restrict access to read-only for documents that have a specific publisher_id field value. So I just need to add a role per publisher to this file.

The website doesn't say how much SHIELD costs. I've emailed your support and asked for a price saying how helpful you have been.

Is it possible to authenticate without the username/password basic auth popup and do this programmatically so I can have my own pretty login screen even though I'm requesting an iframe?

Automating Kibana dashboard and visual creation is possible via API as well?


(Tanya Bragin) #10

Awesome! DM me if you don't get response on the Shield quote quickly enough.

Is it possible to authenticate without the username/password basic auth popup and do this programmatically so I can have my own pretty login screen even though I'm requesting an iframe?

Kibana 4.4 shield plugin provides a login screen, logout button, session duration, etc.. Are you already using that?

Automating Kibana dashboard and visual creation is possible via API as well?

Yes. If I understood your use case correctly, I'd say the easiest way would be to manually create a template, then to fetch relevant documents from the .kibana index (remeber you'll need the dashboards and all visualizations and saved searches underlying it) and based on those samples write additional documents to the .kibana index.


(Jeremy Colton) #11

I am using Kibana 4.4 but with the NGINX reverse proxy login setup as per https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04. I don't have SHIELD installed at the moment. So I need to disable the reverse proxy and install SHIELD.

The page I will build for my users will be a combination of KIbana Dashboard (embedded into the page via an iframe) AND other non-kibana data.

So, is the SHIELD authentication process available via an API? This will allow me to have a single-sign-on for the user into their web-page and Kibana authentication behind the scenes automatically.

For each user's dashboard, it will be auto-created for them. Do you have a link with a sample/tutorial for auto-creating visualization and added it to a new dashboard and saving the dashboard?


(Tanya Bragin) #12

So, is the SHIELD authentication process available via an API? This will allow me to have a single-sign-on for the user into their web-page and Kibana authentication behind the scenes automatically.

There is an API for adding users and roles in Shield 5.0. Single sign-on is pretty common with users of Shield. Usually it's accomplished either using run-as or building a custom realm. Feel free to ask a question in the Shield channel about your specific SSO scenario and how these two options may apply.

For each user's dashboard, it will be auto-created for them. Do you have a link with a sample/tutorial for auto-creating visualization and added it to a new dashboard and saving the dashboard?

I don't believe there is such a tutorial. You can use Sense or even Kibana directly to examine the contents of the .kibana index prior to determining the best way for you to write directly to it. Feel free to ask another question if you try doing it and run anything specific that doesn't make sense.


(Jeremy Colton) #13

Hi,

In order to make my own requests to ES to create visuals and dashboards, I am trying to debug the request that Kibana sends to ElasticSearch. This request contains the JSON that ES reads and acts upon. Is there a log file in ES that shows the requests (and JSON) that it receives?


(system) #14