Restricting Users for Kibana with Filtered Aliases

The next piece of the puzzle is setting up Nginx to serve the Kibana interface with basic auth and to proxy the logstash-* requests to the user's aliases. There is a sample Nginx configuration in the Kibana Github repo that we will use as a starting point. We need to add basic auth to the top of configuration along with modifying some of the rewrite rules to use the filtered aliases and user specific indexes. You can view the modified file here.

The trickiest part to setup is translating the logstash-* requests to the user's aliases. Kibana will often send requests like /logstash-2014.02.04,logstash-2014.02.03/_search, which will need to be translated to /buzz-2014.02.04,buzz-2014.02.03/_search. Nginx doesn't have a simple find and replace feature, so we need to dust off our hacker skills and setup a recursive rewrite rule to make the translation for us.

  # Recursively change Logstash prefixed index names to user prefixed aliases.
  # This will process until the logstash-YYYY.MM.DD pattern disappears
  location ~ ^/([^\*]*)logstash-(?\d+.\d+.\d+)(,?[^\*/]+)*/_search$ {
    set $part1 $1;
    set $part3 $3;
    rewrite ^.*$ /${part1}${remote_user}-${date}${part3}/_search last;
  }

  # All request to kibana-int also need to be proxied to an unique index per user.
  location ~ ^/kibana-int/(.*)$ {
    set $part1 $1;
    proxy_pass http://127.0.0.1:9200/kibana-int-${remote_user}/${part1};
    proxy_read_timeout 90;
  }

  location ~ ^/[^\*/]+/_search$ {
    proxy_pass http://127.0.0.1:9200;
    proxy_read_timeout 90;
  }

There we have it, Kibana locked down using basic authentication and the data segmented by the authenticated user. Before you go to production with this setup, we highly recommend serving the Kibana interface behind a SSL (or a SSL proxy) and disable dynamic scripting. If you want to use the code from this example, you can find it in the Kibana repository on GitHub under samples/filtered-alias-example.

Update: Special thanks to Alex Brasetvik (@alexbrasetvik) for pointing out a few security issues with our Nginx re-write rules.

Sign up for updates!

Subscribe to the RSS feed RSS