Allow everything from localhost, otherwise use basic http authetification

Hey there,

I am still searching for a way, that my application with a build-in browser can access kibana without visible authentification (eg no login mask) as read only access and write access is granted only to specific users.

While the url authentification does not work, I had another idea. It is not ideal, but should do the trick:

2 Kibana instances, one with disabled write plugins (Dev Tools, Management…) and a normal one.

Search Guard allows everything from localhost, no authentification needed. Otherwise, If the request comes from another machine (eg someone contacting ES directly), authentification is needed.

I know, that it is not perfect and not even very safe, but at least the normal user cant do stuff within our application.

Is this possible? I cant really find anything about the part, where everything is allowed for localhost and the http_authentification is only used to external requests.

this is not possible but maybe anonymous user work fo you?

···

Am 21.08.2017 um 10:33 schrieb Marvin Berger <mberger806@gmail.com>:

Hey there,

I am still searching for a way, that my application with a build-in browser can access kibana without visible authentification (eg no login mask) as read only access and write access is granted only to specific users.
While the url authentification does not work, I had another idea. It is not ideal, but should do the trick:
2 Kibana instances, one with disabled write plugins (Dev Tools, Management...) and a normal one.
Search Guard allows everything from localhost, no authentification needed. Otherwise, If the request comes from another machine (eg someone contacting ES directly), authentification is needed.
I know, that it is not perfect and not even very safe, but at least the normal user cant do stuff within our application.

Is this possible? I cant really find anything about the part, where everything is allowed for localhost and the http_authentification is only used to external requests.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17e7d34a-7fbb-4227-916c-547e4c0f2447%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This is not possible at the moment, Basic Auth and SSO auth (like JWT, Proxy/IP based) is an either/or decision. If Basic Auth is enabled, the plugin checks for a login/session cookie, and displays the login dialogue if none is found.

Implementing a mixed mode is not easy, since the plugin would need to decide if/when the Basic Auth dialogue should be displayed and not. We could implement your specific requirement, but then there are tons of other cases/combinations which we would need to support as well. Some of them rather tricky, like Kerberos for example.

···

On Wednesday, October 4, 2017 at 1:10:46 PM UTC+2, Search Guard wrote:

this is not possible but maybe anonymous user work fo you?

Am 21.08.2017 um 10:33 schrieb Marvin Berger mberger806@gmail.com:

Hey there,

I am still searching for a way, that my application with a build-in browser can access kibana without visible authentification (eg no login mask) as read only access and write access is granted only to specific users.

While the url authentification does not work, I had another idea. It is not ideal, but should do the trick:

2 Kibana instances, one with disabled write plugins (Dev Tools, Management…) and a normal one.

Search Guard allows everything from localhost, no authentification needed. Otherwise, If the request comes from another machine (eg someone contacting ES directly), authentification is needed.

I know, that it is not perfect and not even very safe, but at least the normal user cant do stuff within our application.

Is this possible? I cant really find anything about the part, where everything is allowed for localhost and the http_authentification is only used to external requests.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/17e7d34a-7fbb-4227-916c-547e4c0f2447%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.