Basic authentication for each Kibana dashboards

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Basic authentication for each Kibana dashboards

Taylor Wood
I am looking to require passwords to access specific dashboards in kibana.  I am using apache and currently have basic authentication working for the site as a whole but want to lock it down even more so only some users have access to specific dashboards.

Kabana v3

Below is my httpd conf file.
=========
[root@SERVER conf.d]# cat kibana3.conf 
<VirtualHost *:80>
  ServerName MY SERVER NAME

  DocumentRoot /var/www/kibana3
  <Directory /var/www/kibana3>
    Allow from all
    Options -Multiviews
  </Directory>

  LogLevel debug
  ErrorLog /var/log/httpd/error_log
  CustomLog /var/log/httpd/access_log combined

  # Set global proxy timeouts
  <Proxy http://127.0.0.1:9200>
    ProxySet connectiontimeout=5 timeout=90
  </Proxy>

  # Proxy for _aliases and .*/_search
  <LocationMatch "^/(_nodes|_aliases|.*/_aliases|_search|.*/_search|_mapping|.*/_mapping)$">
  #  ProxyPassMatch http://127.0.0.1:9200/$1
  #  ProxyPassReverse http://127.0.0.1:9200/$1
  </LocationMatch>

  # Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
  <LocationMatch "^/(kibana-int/dashboard/|kibana-int/temp)(.*)$">
  #  ProxyPassMatch http://127.0.0.1:9200/$1$2
  #  ProxyPassReverse http://127.0.0.1:9200/$1$2
  </LocationMatch>

  <Location />
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthBasicProvider file
    AuthName "Restricted"
    AuthUserFile /etc/httpd/conf.d/kibana-htpasswd
    AuthGroupFile /etc/httpd/conf.d/kibana-groups
    Require valid-user
  </Location>

#  <Location /#/dashboard/elasticsearch/techsupport>
#    Order deny,allow
#    Allow from all
#    AuthType Basic
#    AuthBasicProvider file
#    AuthName "Restricted"
  #  AuthUserFile /etc/httpd/conf.d/kibana-htpasswd
 #   AuthGroupFile /etc/httpd/conf.d/kibana-groups
#    Require valid-user
#  </Location>
============

I also have a groups file and password file where it pulls the encrypted passwords and users from.
=========
GroupName: admin tom fred joe
========
joe:q.FjeZsgaHH.xMdf
tom:NadbOcfsqQY6nsfd
admin:j.ah3fsfdm0v7UVI
==============

According to elasticsearch it should save the dashboards as a .json file but it is not saving them here (hence I can not seem to lock them down with apache through a file)
[root@SERVERdashboards]# ls
blank.json  default.json  guided.json  logstash.js  logstash.json  noted.json  testdash.json


At this point I am just spinning wheels and not getting anywhere.  Any help is appreciated.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/6fecacd2-5e6a-4d82-b5fe-7d591c6cd875%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Basic authentication for each Kibana dashboards

slee
AFAIK, Kibana by default saves it's dashboards in an ES index called kibana-int, as referenced in your httpd.conf file here: <LocationMatch "^/(kibana-int/dashboard/|kibana-int/temp)(.*)$">

You could restrict commands on that index based on authentication, like x user can do GET POST, whereas y user can do DELETE GET POST PULL, etc.  

On Tuesday, January 20, 2015 at 12:31:22 PM UTC-5, Taylor Wood wrote:
I am looking to require passwords to access specific dashboards in kibana.  I am using apache and currently have basic authentication working for the site as a whole but want to lock it down even more so only some users have access to specific dashboards.

Kabana v3

Below is my httpd conf file.
=========
[root@SERVER conf.d]# cat kibana3.conf 
<VirtualHost *:80>
  ServerName MY SERVER NAME

  DocumentRoot /var/www/kibana3
  <Directory /var/www/kibana3>
    Allow from all
    Options -Multiviews
  </Directory>

  LogLevel debug
  ErrorLog /var/log/httpd/error_log
  CustomLog /var/log/httpd/access_log combined

  # Set global proxy timeouts
  <Proxy <a href="http://127.0.0.1:9200" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200\46sa\75D\46sntz\0751\46usg\75AFQjCNH14hW3khm7lTWZyJM1wkUgOtJPTA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200\46sa\75D\46sntz\0751\46usg\75AFQjCNH14hW3khm7lTWZyJM1wkUgOtJPTA';return true;">http://127.0.0.1:9200>
    ProxySet connectiontimeout=5 timeout=90
  </Proxy>

  # Proxy for _aliases and .*/_search
  <LocationMatch "^/(_nodes|_aliases|.*/_aliases|_search|.*/_search|_mapping|.*/_mapping)$">
  #  ProxyPassMatch <a href="http://127.0.0.1:9200/$1" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241\46sa\75D\46sntz\0751\46usg\75AFQjCNH6ZveQ--OQh-hKumj8iugpr_TFxg';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241\46sa\75D\46sntz\0751\46usg\75AFQjCNH6ZveQ--OQh-hKumj8iugpr_TFxg';return true;">http://127.0.0.1:9200/$1
  #  ProxyPassReverse <a href="http://127.0.0.1:9200/$1" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241\46sa\75D\46sntz\0751\46usg\75AFQjCNH6ZveQ--OQh-hKumj8iugpr_TFxg';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241\46sa\75D\46sntz\0751\46usg\75AFQjCNH6ZveQ--OQh-hKumj8iugpr_TFxg';return true;">http://127.0.0.1:9200/$1
  </LocationMatch>

  # Proxy for kibana-int/{dashboard,temp} stuff (if you don't want auth on /, then you will want these to be protected)
  <LocationMatch "^/(kibana-int/dashboard/|kibana-int/temp)(.*)$">
  #  ProxyPassMatch <a href="http://127.0.0.1:9200/$1$2" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241%242\46sa\75D\46sntz\0751\46usg\75AFQjCNH7Se-m4gPwXX8Sw2mEGq8rzwq4GQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241%242\46sa\75D\46sntz\0751\46usg\75AFQjCNH7Se-m4gPwXX8Sw2mEGq8rzwq4GQ';return true;">http://127.0.0.1:9200/$1$2
  #  ProxyPassReverse <a href="http://127.0.0.1:9200/$1$2" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241%242\46sa\75D\46sntz\0751\46usg\75AFQjCNH7Se-m4gPwXX8Sw2mEGq8rzwq4GQ';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F127.0.0.1%3A9200%2F%241%242\46sa\75D\46sntz\0751\46usg\75AFQjCNH7Se-m4gPwXX8Sw2mEGq8rzwq4GQ';return true;">http://127.0.0.1:9200/$1$2
  </LocationMatch>

  <Location />
    Order deny,allow
    Allow from all
    AuthType Basic
    AuthBasicProvider file
    AuthName "Restricted"
    AuthUserFile /etc/httpd/conf.d/kibana-htpasswd
    AuthGroupFile /etc/httpd/conf.d/kibana-groups
    Require valid-user
  </Location>

#  <Location /#/dashboard/elasticsearch/techsupport>
#    Order deny,allow
#    Allow from all
#    AuthType Basic
#    AuthBasicProvider file
#    AuthName "Restricted"
  #  AuthUserFile /etc/httpd/conf.d/kibana-htpasswd
 #   AuthGroupFile /etc/httpd/conf.d/kibana-groups
#    Require valid-user
#  </Location>
============

I also have a groups file and password file where it pulls the encrypted passwords and users from.
=========
GroupName: admin tom fred joe
========
joe:q.FjeZsgaHH.xMdf
tom:NadbOcfsqQY6nsfd
admin:j.ah3fsfdm0v7UVI
==============

According to elasticsearch it should save the dashboards as a .json file but it is not saving them here (hence I can not seem to lock them down with apache through a file)
[root@SERVERdashboards]# ls
blank.json  default.json  guided.json  logstash.js  logstash.json  noted.json  testdash.json


At this point I am just spinning wheels and not getting anywhere.  Any help is appreciated.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b78138c2-3fe0-473f-9e69-35a552ab6488%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.