Auth for custom Kibana plugin

Assume that I have the latest version of Search Guard and Elasticsearch. Let’s say that I create an app-style plugin for Kibana like Timelion (e.g. basically linking to a separate web app). Is there a way that Search Guard could help cover authentication for that plugin in a user friendly way (e.g. without prompting for credentials a second time)? How might this work? Also, what about the case where the plugin web app is running standalone outside the context of Kibana but still taking to Elasticsearch?

If you build a plugin for Kibana you need to make sure that the user credentials (e.g. Basic Auth) are included in every request from your plugin to ES/SG. That’s the main concept behind any authentication plugin for Kibana. The Search Guard Kibana Plugin is licensed under Apache2, so feel free to use the relevant portions of it for your own implementation. You can also just install the SG plugin and disable all the stuff you don’t need, like multi tenancy or the config GUI, and let it handle only the authentication stuff. Then, install your plugin in addition.

The same concept needs to be implemented when talking about a standalone application. The easiest way would be to use Basic Authentication. Then, upon login, check the credentials against the Search Guard authinfo endpoint. If credentials are valid, this will return information about the currently logged in user. If not, it will return a 403. Then you need to implement the session handling in your app, and make sure the (valid) credentials are added to each call to ES/SG.

Another way would be to just use the SG plugin, and install yours in addition. You just need

···

On Saturday, June 30, 2018 at 5:33:47 PM UTC+2, Mark Coburn wrote:

Assume that I have the latest version of Search Guard and Elasticsearch. Let’s say that I create an app-style plugin for Kibana like Timelion (e.g. basically linking to a separate web app). Is there a way that Search Guard could help cover authentication for that plugin in a user friendly way (e.g. without prompting for credentials a second time)? How might this work? Also, what about the case where the plugin web app is running standalone outside the context of Kibana but still taking to Elasticsearch?