Anonymous or unauthenticated users in kibana

I use elasticsearch and kibana 5.2.2.
I successfully configured searchguard to grant authenticated users required privileges.
Now i want to give access to some indices from kibana for users without authentication.

It seems it shouldn’t be difficult but i can’t understand how it could be done…

I tried to use anonymous user for this purpose, but not succeed…

How odd… I was just about to post the same question.
Could an official please provide some guidelines on this?
But please it a bit more generic as to allow public/non-authenticated read-only access to any pre-defined indices.

Thanks a lot!

Well, the answer very much depends on what exact scenario you want to implement. Let me explain:

If you want to mix authentication and anonymous access, the question is how you want to ask users for their credentials (for authenticated users) and allow usage without any credentials (anonymous users) at the same time? That’s where the “challenge” flag comes into play.

If set to true, it basically says: “If there are no credentials in the request, ask the user to provide them”. In case of HTTP Basic Auth, this would trigger the Basic Auth dialogue in the browser. Now, you cannot set challenge to true and still have anonymous access, since when no credentials are provided, we simply do not know if we should trigger the Basic Auth dialogue to ask for credentials, or treat the request as anonymous.

In other words, if you want to allow anonymous access, you have to use pre-authentication and cannot use a challenging authenticator.

This is what the “anonymous_auth_enabled” flag in sg_config does. If you set this to true:

• Search Guard will not challenge, regardless of the settings in sg_config
• In other words, it acts like every “challenge” flag is set to “false”
• Search Guard will look for credentials in the HTTP request
• This could be username:password in case of Basic Auth, or a JWT token, or a Kerberos ticket
• This depends on the authenticator(s) you configured
• If credentials are found, Search Guard uses them to authenticate the user
• If no credentials are found, the user will be treated as anonymous
• username is “sg_anonymous”
• role is “sg_anonymous_backendrole”
  You can then use this username and role to configure any permissions on any index you like. So technically this is relatively easy to achieve.

The question here is: What should the user flow be like? Let’s say you open Kibana for the first time - how do you want to distinguish between authenticated and anonymous access? For example, you could also simply configure a “guest” user in the SG internal user database with password “guest”, and simply configure read-only access to all or some indices. You would not need the “anonymous” feature for that at all.

So, to answer the question in more detail, please tell me what user flow you want to implement exactly.

Okay, you answered to all my questions. Thank you!
I thought, it could be possible to press some button or use another flag that mark me as guest.

For example button “enter without auth” or something like this…

But now I understood that I want too much!

Well, this would actually be possible if you extend the Kibana Plugin.

If you introduce another button “Anonymous login”, you could store this information e.g. in a cookie, and then bypass the setting of the Basic Authentication header field, thus allowing anonymous requests to ES/SG. On SG side, you need to enable anonymous access, and configure the permissions of the anon user/group accordingly.

However, a much simpler approach would be to introduce the said “anonymous login” button, and then send a default user/password (like guest/guest) in the HTTP calls. On SG side, you configure this guest user like any other user, and give it for example RO permissions only.

Actually, we might consider this for the next release of the Kibana plugin. The implementation should be relatively straight forward. I’ll put it in the backlog, so we can discuss and decide.

Thanks for your input!

Hi, I also wanted to enable anonymous users to view my kibana dashboards without logging in. I felt like the solution was close with your comment below:

• Search Guard will look for credentials in the HTTP request
• This could be username:password in case of Basic Auth

I have a kibana running behing a nginx proxy. So I tried to set up the header like this (following this tip):

proxy_set_header Authorization “Basic cmVhZGFsbDpyZWFkYWxs”;

``

In my Search Guard config file I have set anonymous_auth_enabled: true under http, and just below I have this:

  basic_internal_auth_domain:
    enabled: true
    order: 4
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern

``

After changing the configuration I run ./sgadmin_demo.sh, as the manual states, but still, when I type the URL of my kibana instance, I see the login page of Seach Guard.

Any ideas? Thank you very much.

At the moment you cannot use HTTP Basic Authentication and SSO at the same time unfortunately. This feature is planned for the upcoming SG6 release. The Kibana plugin does not support pre-authenticated HTTP requests, and requires an encrypted session cookie to be present.

Without changing the plugin code (as outlined in the previous comment), it’s not possible at the moment.

Thank you Jochen!