Shield with Kibana 4

Kibana 4 adds a server-side component that changes the integration with Shield and the steps required to configure Shield, Elasticsearch, and Kibana to work together. With Kibana 4, the browser makes requests to the Kibana 4 server, and not to Elasticsearch directly. The Kibana 4 server then makes requests to Elasticsearch on behalf of the browser. We recommend using separate roles for your users who log into Kibana and for the Kibana 4 server itself.

Configuring Roles for Kibana 4 Users

Kibana users need access to the indices that they will be working with and the .kibana index where their saved searches, visualizations, and dashboards are stored. Shield includes a default kibana4 role that grants read access to all indices and full access to the .kibana index.

Important

The default Kibana 4 user role grants read access to all indices. We strongly recommend deriving custom roles for your Kibana users that limit access to specific indices according to your organization’s goals and policies.

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

To constrain Kibana’s access to specific indices, explicitly specify the index names in your role. When configuring a role for a Kibana user and granting access to a specific index, at a minimum the user needs the following privileges on the index:

  • indices:admin/mappings/fields/get
  • indices:admin/validate/query
  • indices:data/read/search
  • indices:data/read/msearch
  • indices:admin/get

Configuring a Role for the Kibana 4 Server

The Kibana 4 server needs access to the cluster monitoring APIs and the .kibana index. However, the server does not need access to user indexes. The following kibana4_server role shows the privileges required by the Kibana 4 server.

Note

This role was not included in the roles.yml file for Shield 1.0. You will need to manually add this role.

kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

To configure the Kibana 4 server, you must assign this role to a user and add the user credentials to kibana.yml. For more information, see Configuring Kibana to Work with Shield in the Kibana 4 User Guide.

Configuring Kibana 4 to Use SSL

You should also configure Kibana 4 to use SSL encryption for both client requests and the requests the Kibana server sends to Elasticsearch. For more information, see Enabling SSL in the Kibana 4 User Guide.