I was able to setup my searchguard to auth from HTTP headers, and therefore pass the auth through kibana. It is a quite complex, and frankly I hope there is a cleaner way that I just didn’t know how to setup.
For anyone else curious, my current setup required doing the following:
-Users connect to http webserver with nginx ldap authentation.
–If user auths succeed, HTTP headers entered for username and request passed to the actual kibana port on localhost
-Kibana is configured to talk to another local nginx host and not the elasticsearch cluster directly
–Nginx checks for the HTTP auth header, and if missing, inserts one with “kibana” as the user. (the only requests which do not have http auth are ones that kibana it self generates when trying to access it’s own settings on startup). These requests are then forwarded to the actual elasticsearch cluster.
-search guard in the elasticsearch is configued with all the following settings for authorization/authentication
I am still hoping there is a better way. Running a second nginx head just to give requests coming from Kibana access to it’s own index is quite complex. Still using this I can auth users from LDAP, then group them manually in the configuration file and create ACL’s based on these groups and specific indexes. So for example a dev group could have access to the dev index while admin’s get all.
I would love to know if there is a better way. I don’t know that I can do my groups from LDAP since I am doing HTTP auth for the user authentication. Is that possible?
On Sunday, July 19, 2015 at 4:44:55 PM UTC-4, SG wrote:
Am 17.07.2015 um 15:29 schrieb karol ryzner karol....@gmail.com:
Do you still plan to provide documentation for kibana?
I think there are many people waiting for it.
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/287a5a91-a348-4dde-a8c1-7a25536e5540%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.