Is there a way to block "system" users from logging into Kibana?

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick

Apologies, just found another post that answers this at Redirecting to Google Groups

Is there any plan to implement this functionality, or is it simply not possible? Surely it is not impossible?

Thanks,
Nick

···

On Friday, February 23, 2018 at 10:17:15 AM UTC+11, nick....@countersight.co wrote:

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick

Well, it cannot really be done in a 100% secure way. But we could, for example, provide a config property where you can list all users and/or roles you want to forbid. But that would need to be implemented for all authentication methods, including Basic Auth with the login dialogue, but also SSO like Kerberos or JWT. I’ll add it to our backlog and see what we can do …

···

On Friday, February 23, 2018 at 1:40:14 AM UTC+1, nick.george@countersight.co wrote:

Apologies, just found another post that answers this at https://groups.google.com/forum/#!searchin/search-guard/dashboard$20only|sort:date/search-guard/DVozeuT0Vag/h0b1csq7BwAJ

Is there any plan to implement this functionality, or is it simply not possible? Surely it is not impossible?

Thanks,
Nick

On Friday, February 23, 2018 at 10:17:15 AM UTC+11, nick....@countersight.co wrote:

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick

Thanks for that!

···

On Saturday, February 24, 2018 at 4:19:41 AM UTC+11, Jochen Kressin wrote:

Well, it cannot really be done in a 100% secure way. But we could, for example, provide a config property where you can list all users and/or roles you want to forbid. But that would need to be implemented for all authentication methods, including Basic Auth with the login dialogue, but also SSO like Kerberos or JWT. I’ll add it to our backlog and see what we can do …

Is your backlog available publicly?

Cheers,
Nick

···

On Saturday, February 24, 2018 at 4:19:41 AM UTC+11, Jochen Kressin wrote:

Well, it cannot really be done in a 100% secure way. But we could, for example, provide a config property where you can list all users and/or roles you want to forbid. But that would need to be implemented for all authentication methods, including Basic Auth with the login dialogue, but also SSO like Kerberos or JWT. I’ll add it to our backlog and see what we can do …

On Friday, February 23, 2018 at 1:40:14 AM UTC+1, nick....@countersight.co wrote:

Apologies, just found another post that answers this at https://groups.google.com/forum/#!searchin/search-guard/dashboard$20only|sort:date/search-guard/DVozeuT0Vag/h0b1csq7BwAJ

Is there any plan to implement this functionality, or is it simply not possible? Surely it is not impossible?

Thanks,
Nick

On Friday, February 23, 2018 at 10:17:15 AM UTC+11, nick....@countersight.co wrote:

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick

No, at the moment we do not have a public roadmap, sorry. But if you want to know about a specific feature, you can always drop us an email at info@search-guard.com.

···

On Monday, February 26, 2018 at 3:01:33 AM UTC+1, nick.george@countersight.co wrote:

Is your backlog available publicly?

Cheers,
Nick

On Saturday, February 24, 2018 at 4:19:41 AM UTC+11, Jochen Kressin wrote:

Well, it cannot really be done in a 100% secure way. But we could, for example, provide a config property where you can list all users and/or roles you want to forbid. But that would need to be implemented for all authentication methods, including Basic Auth with the login dialogue, but also SSO like Kerberos or JWT. I’ll add it to our backlog and see what we can do …

On Friday, February 23, 2018 at 1:40:14 AM UTC+1, nick....@countersight.co wrote:

Apologies, just found another post that answers this at https://groups.google.com/forum/#!searchin/search-guard/dashboard$20only|sort:date/search-guard/DVozeuT0Vag/h0b1csq7BwAJ

Is there any plan to implement this functionality, or is it simply not possible? Surely it is not impossible?

Thanks,
Nick

On Friday, February 23, 2018 at 10:17:15 AM UTC+11, nick....@countersight.co wrote:

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick

Tracked here: https://github.com/floragunncom/search-guard-kibana-plugin/issues/81

···

On Monday, February 26, 2018 at 7:59:58 PM UTC+1, Jochen Kressin wrote:

No, at the moment we do not have a public roadmap, sorry. But if you want to know about a specific feature, you can always drop us an email at info@search-guard.com.

On Monday, February 26, 2018 at 3:01:33 AM UTC+1, nick.george@countersight.co wrote:

Is your backlog available publicly?

Cheers,
Nick

On Saturday, February 24, 2018 at 4:19:41 AM UTC+11, Jochen Kressin wrote:

Well, it cannot really be done in a 100% secure way. But we could, for example, provide a config property where you can list all users and/or roles you want to forbid. But that would need to be implemented for all authentication methods, including Basic Auth with the login dialogue, but also SSO like Kerberos or JWT. I’ll add it to our backlog and see what we can do …

On Friday, February 23, 2018 at 1:40:14 AM UTC+1, nick....@countersight.co wrote:

Apologies, just found another post that answers this at https://groups.google.com/forum/#!searchin/search-guard/dashboard$20only|sort:date/search-guard/DVozeuT0Vag/h0b1csq7BwAJ

Is there any plan to implement this functionality, or is it simply not possible? Surely it is not impossible?

Thanks,
Nick

On Friday, February 23, 2018 at 10:17:15 AM UTC+11, nick....@countersight.co wrote:

Hi,

Just starting out with Searchguard, and it’s working great. One thing I’ve noticed is that I can log into Kibana using my internal system accounts, such as logstash, kibanaserver etc. Is there any way to block all these users from logging in? I’d prefer them to be completely blocked from Kibana in case their passwords are somehow compromised.

Using OSS SG version v6.2.1-21 on java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64 and Oracle LInux 7.4. Using the Kibana SG plugin to provide a login screen.

Cheers,
Nick