Kibana: Anonymous access, but having the chance of authenticating

Hi all,

I’ve installed Search Guard with its Kibana plugin., I’m trying to have a setup where anonymous visitors can access read/only (that is, they can view all dashboards, etc. but cannot save, nor write to the indexes), but at the same time, if the visitor authenticates (via Basic-Auth), gets read/write access to everything (I’m using the admin user in the demo configuration).

For granting anonymous visitors read/only access, without being shown the login page:

  • I added ‘searchguard.basicauth.enabled: false’ to kibana.yml

  • I added sg_anonymous_backendrole as backend role to sg_readall role in in sg_roles_mapping.yml, so that it is now:

···

sg_readall:
readonly: true
backendroles:
- readall
- sg_anonymous_backendrole

It works like a charm as an read-only dashboard. But the login page gets completely disabled (or at least I cannot find its url), so no way of having a way to authenticate.

I wonder if I could keep read-only for visitors not authenticating, but at the same time keeping the login page so that if a visitor uses it, and authenticates, auth headers are sent for their next HTTP requests, and therefore they can use the dashboard authenticated (for example as the admin user).

Thanks in advance,

   Jesus.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

search-guard-6: 6.1.0-21.0
elasticsearch: 6.1.0

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

Not relevant (I think)

  • Search Guard configuration files

Demo configuration, with changes commented above

  • Elasticsearch log messages on debug level

Not relevant (I think)

  • Other installed Elasticsearch or Kibana plugins, if any

None

That’s not possible at the moment, it’s either/or. Either Basic Auth with Login Dialogue or Single Sign On / Anonymous. However, we already have a ticket in the backlog and might support it in future versions.

Since we don’t know upfront if a user wants to browse as anonymous user or wants to log in: What kind of user flow do you have in mind? Letting the user pass as anonymous and then offer a “login” button inside Kibana? Or something different?

···

On Friday, February 16, 2018 at 8:32:08 PM UTC+1, Jesus M. Gonzalez-Barahona wrote:

  • Search Guard and Elasticsearch version

search-guard-6: 6.1.0-21.0
elasticsearch: 6.1.0

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

Not relevant (I think)

  • Search Guard configuration files

Demo configuration, with changes commented above

  • Elasticsearch log messages on debug level

Not relevant (I think)

  • Other installed Elasticsearch or Kibana plugins, if any

None

Hi all,

I’ve installed Search Guard with its Kibana plugin., I’m trying to have a setup where anonymous visitors can access read/only (that is, they can view all dashboards, etc. but cannot save, nor write to the indexes), but at the same time, if the visitor authenticates (via Basic-Auth), gets read/write access to everything (I’m using the admin user in the demo configuration).

For granting anonymous visitors read/only access, without being shown the login page:

  • I added ‘searchguard.basicauth.enabled: false’ to kibana.yml

  • I added sg_anonymous_backendrole as backend role to sg_readall role in in sg_roles_mapping.yml, so that it is now:


sg_readall:
readonly: true
backendroles:
- readall
- sg_anonymous_backendrole

It works like a charm as an read-only dashboard. But the login page gets completely disabled (or at least I cannot find its url), so no way of having a way to authenticate.

I wonder if I could keep read-only for visitors not authenticating, but at the same time keeping the login page so that if a visitor uses it, and authenticates, auth headers are sent for their next HTTP requests, and therefore they can use the dashboard authenticated (for example as the admin user).

Thanks in advance,

   Jesus.

When asking questions, please provide the following information:

Thanks for your answer. If you prefer that we talk in that issue, just let me know.

The most basic user flow would be letting all visitors pass as anonymous, but letting them visit the url with the authentication form, and if they authenticate, then just apply them permissions for their user. This could easily be linked as a login link from Kibana.

An improvement would be having the form right in the Kibana UI, maybe as a drop-down form, for example.

I thought the first option could be available with little or no modification to the code, except for just letting the form be shown (without redirect from Kibana), so that people who know where it is (or are linked to it), just can login.

Saludos,

     Jesus.
···

On Friday, February 16, 2018 at 11:15:56 PM UTC+1, Jochen Kressin wrote:

That’s not possible at the moment, it’s either/or. Either Basic Auth with Login Dialogue or Single Sign On / Anonymous. However, we already have a ticket in the backlog and might support it in future versions.

Since we don’t know upfront if a user wants to browse as anonymous user or wants to log in: What kind of user flow do you have in mind? Letting the user pass as anonymous and then offer a “login” button inside Kibana? Or something different?

On Friday, February 16, 2018 at 8:32:08 PM UTC+1, Jesus M. Gonzalez-Barahona wrote:

  • Search Guard and Elasticsearch version

search-guard-6: 6.1.0-21.0
elasticsearch: 6.1.0

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

Not relevant (I think)

  • Search Guard configuration files

Demo configuration, with changes commented above

  • Elasticsearch log messages on debug level

Not relevant (I think)

  • Other installed Elasticsearch or Kibana plugins, if any

None

Hi all,

I’ve installed Search Guard with its Kibana plugin., I’m trying to have a setup where anonymous visitors can access read/only (that is, they can view all dashboards, etc. but cannot save, nor write to the indexes), but at the same time, if the visitor authenticates (via Basic-Auth), gets read/write access to everything (I’m using the admin user in the demo configuration).

For granting anonymous visitors read/only access, without being shown the login page:

  • I added ‘searchguard.basicauth.enabled: false’ to kibana.yml

  • I added sg_anonymous_backendrole as backend role to sg_readall role in in sg_roles_mapping.yml, so that it is now:


sg_readall:
readonly: true
backendroles:
- readall
- sg_anonymous_backendrole

It works like a charm as an read-only dashboard. But the login page gets completely disabled (or at least I cannot find its url), so no way of having a way to authenticate.

I wonder if I could keep read-only for visitors not authenticating, but at the same time keeping the login page so that if a visitor uses it, and authenticates, auth headers are sent for their next HTTP requests, and therefore they can use the dashboard authenticated (for example as the admin user).

Thanks in advance,

   Jesus.

When asking questions, please provide the following information:

I did not find the issue in the Github repo so I created this one https://github.com/floragunncom/search-guard-kibana-plugin/issues/88

Do u think there is a workaround using the web server headers to send a hardcoded user by default?

···

El viernes, 16 de febrero de 2018, 23:15:56 (UTC+1), Jochen Kressin escribió:

That’s not possible at the moment, it’s either/or. Either Basic Auth with Login Dialogue or Single Sign On / Anonymous. However, we already have a ticket in the backlog and might support it in future versions.

Since we don’t know upfront if a user wants to browse as anonymous user or wants to log in: What kind of user flow do you have in mind? Letting the user pass as anonymous and then offer a “login” button inside Kibana? Or something different?

On Friday, February 16, 2018 at 8:32:08 PM UTC+1, Jesus M. Gonzalez-Barahona wrote:

  • Search Guard and Elasticsearch version

search-guard-6: 6.1.0-21.0
elasticsearch: 6.1.0

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

Not relevant (I think)

  • Search Guard configuration files

Demo configuration, with changes commented above

  • Elasticsearch log messages on debug level

Not relevant (I think)

  • Other installed Elasticsearch or Kibana plugins, if any

None

Hi all,

I’ve installed Search Guard with its Kibana plugin., I’m trying to have a setup where anonymous visitors can access read/only (that is, they can view all dashboards, etc. but cannot save, nor write to the indexes), but at the same time, if the visitor authenticates (via Basic-Auth), gets read/write access to everything (I’m using the admin user in the demo configuration).

For granting anonymous visitors read/only access, without being shown the login page:

  • I added ‘searchguard.basicauth.enabled: false’ to kibana.yml

  • I added sg_anonymous_backendrole as backend role to sg_readall role in in sg_roles_mapping.yml, so that it is now:


sg_readall:
readonly: true
backendroles:
- readall
- sg_anonymous_backendrole

It works like a charm as an read-only dashboard. But the login page gets completely disabled (or at least I cannot find its url), so no way of having a way to authenticate.

I wonder if I could keep read-only for visitors not authenticating, but at the same time keeping the login page so that if a visitor uses it, and authenticates, auth headers are sent for their next HTTP requests, and therefore they can use the dashboard authenticated (for example as the admin user).

Thanks in advance,

   Jesus.

When asking questions, please provide the following information:

If you have the possibility to add HTTP headers to the request to Kibana, e.g. by using a proxy in front of Kibana, then yes. The Kibana Plugin supports pre-authenticated requests since Kibana 6 and Plugin v10. As a workaround, just add a HTTP Basic header to the request, and set the user and password there. This should suppress the login dialogue and let the request pass.

Of course, this is a workaround only, we will look into this further.

···

On Thursday, March 22, 2018 at 12:57:57 PM UTC+1, Luis Cañas Díaz wrote:

I did not find the issue in the Github repo so I created this one https://github.com/floragunncom/search-guard-kibana-plugin/issues/88

Do u think there is a workaround using the web server headers to send a hardcoded user by default?

El viernes, 16 de febrero de 2018, 23:15:56 (UTC+1), Jochen Kressin escribió:

That’s not possible at the moment, it’s either/or. Either Basic Auth with Login Dialogue or Single Sign On / Anonymous. However, we already have a ticket in the backlog and might support it in future versions.

Since we don’t know upfront if a user wants to browse as anonymous user or wants to log in: What kind of user flow do you have in mind? Letting the user pass as anonymous and then offer a “login” button inside Kibana? Or something different?

On Friday, February 16, 2018 at 8:32:08 PM UTC+1, Jesus M. Gonzalez-Barahona wrote:

  • Search Guard and Elasticsearch version

search-guard-6: 6.1.0-21.0
elasticsearch: 6.1.0

  • Installed and used enterprise modules, if any

none

  • JVM version and operating system version

Not relevant (I think)

  • Search Guard configuration files

Demo configuration, with changes commented above

  • Elasticsearch log messages on debug level

Not relevant (I think)

  • Other installed Elasticsearch or Kibana plugins, if any

None

Hi all,

I’ve installed Search Guard with its Kibana plugin., I’m trying to have a setup where anonymous visitors can access read/only (that is, they can view all dashboards, etc. but cannot save, nor write to the indexes), but at the same time, if the visitor authenticates (via Basic-Auth), gets read/write access to everything (I’m using the admin user in the demo configuration).

For granting anonymous visitors read/only access, without being shown the login page:

  • I added ‘searchguard.basicauth.enabled: false’ to kibana.yml

  • I added sg_anonymous_backendrole as backend role to sg_readall role in in sg_roles_mapping.yml, so that it is now:


sg_readall:
readonly: true
backendroles:
- readall
- sg_anonymous_backendrole

It works like a charm as an read-only dashboard. But the login page gets completely disabled (or at least I cannot find its url), so no way of having a way to authenticate.

I wonder if I could keep read-only for visitors not authenticating, but at the same time keeping the login page so that if a visitor uses it, and authenticates, auth headers are sent for their next HTTP requests, and therefore they can use the dashboard authenticated (for example as the admin user).

Thanks in advance,

   Jesus.

When asking questions, please provide the following information: