Configuring Security in Kibana

Kibana users have to log in when X-Pack security is enabled on your cluster. You configure X-Pack security roles for your Kibana users to control what data those users can access.

Most requests made through Kibana to Elasticsearch are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the Kibana server needs to make to the Elasticsearch cluster. For this reason, you must configure credentials for the Kibana server to use for those requests.

With X-Pack security enabled, if you load a Kibana dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. X-Pack security does not currently provide a way to control which users can load which dashboards.

To use Kibana with X-Pack security:

  1. Install X-Pack into Kibana.
  2. To secure user sessions and enable users to log in and out of Kibana:

    1. Set the xpack.security.encryptionKey property in the kibana.yml configuration file. You can use any text string that is 32 characters or longer as the encryption key.

      xpack.security.encryptionKey: "something_at_least_32_characters"
    2. To change the default session duration, set the xpack.security.sessionTimeout property in the kibana.yml configuration file. By default, sessions stay active until the browser is closed. The timeout is specified in milliseconds. For example, set the timeout to 600000 to expire sessions after 10 minutes:

      xpack.security.sessionTimeout: 600000
  3. Configure the password for the built-in kibana user. The Kibana server submits requests as this user to access the cluster monitoring APIs and the .kibana index. The server does not need access to user indices.

    The password for this user is typically set as part of the X-Pack installation process on Elasticsearch. See Installing X-Pack on Elasticsearch. The user will not be enabled until a password is set. You can update passwords from the Management > Users UI in Kibana, use the setup-passwords tool, or use the security user API. For example:

    PUT /_xpack/security/user/kibana/_password
    {
      "password" : "s0m3th1ngs3cr3t"
    }

    For more information, see User Management APIs. Once you change the password, you need to specify it with the elasticsearch.password property in kibana.yml:

    elasticsearch.password: "s0m3th1ngs3cr3t"
  4. Configure Kibana authentication to grant them the privileges they need to use Kibana.

    You can manage roles on the Management / Security / Roles page in Kibana.

    If you’re using the native realm with Basic Authentication, you can assign roles using the Management / Security / Users page in Kibana, or the User Management API. For example, the following creates a user named jacknich and assigns it the kibana_user role:

    POST /_xpack/security/user/jacknich
    {
      "password" : "t0pS3cr3t",
      "roles" : [ "kibana_user" ]
    }

    For more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication in Kibana.

  5. Grant users access to the indices that they will be working with in Kibana.

    Tip

    You can define as many different roles for your Kibana users as you need.

    For example, create roles that have read and view_index_metadata privileges on specific index patterns. For more information, see Configuring Role-based Access Control.

  6. Configure Kibana to encrypt communications between the browser and the Kibana server:

    1. Generate a server certificate for Kibana. You must either set the certificate’s subjectAltName to the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server, or set the CN to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work.
    2. Set the server.ssl.key and server.ssl.certificate properties in kibana.yml:

      server.ssl.key: /path/to/your/server.key
      server.ssl.certificate: /path/to/your/server.crt

      Once you enable SSL encryption between the browser and the Kibana server, access Kibana via HTTPS. For example, https://localhost:5601.

  7. If you have enabled SSL encryption in X-Pack security, configure Kibana to connect to Elasticsearch via HTTPS:

    1. Specify the HTTPS protocol in the elasticsearch.url setting in the Kibana configuration file, kibana.yml:

      elasticsearch.url: "https://<your_elasticsearch_host>.com:9200"
    2. If you are using your own CA to sign certificates for Elasticsearch, set the elasticsearch.ssl.certificateAuthorities setting in kibana.yml to specify the location of the PEM file.

      elasticsearch.ssl.certificateAuthorities: /path/to/your/cacert.pem
  8. Restart Kibana and verify that you can log in as a user. If you are running Kibana locally, go to https://localhost:5601 and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the jacknich user created above.

    Note

    This must be a user who has been assigned the kibana_user role. Kibana server credentials should only be used internally by the Kibana server.

For more information about the settings in these steps, see Security Settings.