Configuring security in Kibana

edit

Configuring security in Kibanaedit

Kibana users have to log in when X-Pack security is enabled on your cluster. You configure X-Pack security roles for your Kibana users to control what data those users can access.

Most requests made through Kibana to Elasticsearch are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the Kibana server needs to make to the Elasticsearch cluster. For this reason, you must configure credentials for the Kibana server to use for those requests.

With X-Pack security enabled, if you load a Kibana dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. X-Pack security do not currently provide a way to control which users can load which dashboards.

To use Kibana with X-Pack security:

  1. Configure security in Elasticsearch.
  2. Configure Kibana to use the appropriate built-in user.

    Update the following settings in the kibana.yml configuration file:

    elasticsearch.username: "kibana"
    elasticsearch.password: "kibanapassword"

    The Kibana server submits requests as this user to access the cluster monitoring APIs and the .kibana index. The server does not need access to user indices.

    The password for the built-in kibana user is typically set as part of the security configuration process on Elasticsearch. For more information, see Built-in users.

  3. Set the xpack.security.encryptionKey property in the kibana.yml configuration file. You can use any text string that is 32 characters or longer as the encryption key.

    xpack.security.encryptionKey: "something_at_least_32_characters"

    For more information, see Security Settings in Kibana.

  4. Optional: Change the default session duration. By default, sessions stay active until the browser is closed. To change the duration, set the xpack.security.sessionTimeout property in the kibana.yml configuration file. The timeout is specified in milliseconds. For example, set the timeout to 600000 to expire sessions after 10 minutes:

    xpack.security.sessionTimeout: 600000
  5. Optional: Configure Kibana to encrypt communications.
  6. Restart Kibana.
  7. Temporarily log in to Kibana using the built-in elastic superuser so you can create new users and assign roles. If you are running Kibana locally, go to https://localhost:5601 to view the login page.

    The password for the built-in elastic user is typically set as part of the security configuration process on Elasticsearch. For more information, see Built-in users.

  8. Create roles and users to grant access to Kibana.

    To manage privileges in Kibana, open the main menu, then click Management / Security / Roles. The built-in kibana_user role will grant access to Kibana with administrator privileges. Alternatively, you can create additional roles that grant limited access to Kibana.

    If you’re using the default native realm with Basic Authentication, open the main menu, then click Management / Security / Users to create users and assign roles, or use the Elasticsearch user management APIs. For example, the following creates a user named jacknich and assigns it the kibana_user role:

    POST /_security/user/jacknich
    {
      "password" : "t0pS3cr3t",
      "roles" : [ "kibana_user" ]
    }

    For more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication.

  9. Grant users access to the indices that they will be working with in Kibana.

    You can define as many different roles for your Kibana users as you need.

    For example, create roles that have read and view_index_metadata privileges on specific index patterns. For more information, see User authorization.

  10. Log out of Kibana and verify that you can log in as a normal user. If you are running Kibana locally, go to https://localhost:5601 and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the user jacknich.

    This must be a user who has been assigned Kibana privileges. Kibana server credentials (the built-in kibana user) should only be used internally by the Kibana server.