Limiting who can log in to Kibana to defined list of users

Search Guard 6.x-25

On the Elasticsearch cluster I work with we have hundreds of people using Kibana. The only viable way to manage authentication is to hook Search Guard up to our organisation’s LDAP service. But that means everyone in the organisation can log in to Kibana. Most of them can’t see anything once they do because they’re not in any roles, but there are tens of thousands of people who can log in to Kibana when there is no reason for them to be able to do so.

Is there a way to limit the users that Kibana will allow to log in to a defined list? The closest thing I can find is searchguard.basicauth.forbidden_usernames which is the exact opposite of what I’m looking for. (It is not in any way realistic for us to populate searchguard.basicauth.forbidden_usernames with a list of everyone who should not be able to log in.)

At the moment we only support blacklisting (the “forbidden_usernames” feature), but I do understand your use case here. I think to have the possibility to chose between blacklisting and whitelisting would be a useful addition.

@Mike I think this would be fairly straight forward to implement, no? If so, could you please create a corresponding issue in the backlog? Thx!

Agree, should be straight forward. I’ll add it to the backlog!

@mikew Just to be clear, you are using SG’s basic auth (searchguard.auth.type: “basicauth”) right now?

Yes basic auth, but not the setting you cite. We’re using
searchguard.basicauth.enabled: true
Searchguard version is 6.25.5.
https://docs.search-guard.com/6.x-25/kibana-authentication-http-basic says:

For v13 and below:

searchguard.basicauth.enabled: true

For v14 and above:

searchguard.auth.type: "basicauth"

The setting we’re using works so I guess we’re using v13 and below but I’ve no idea what v13 or v14 mean. I would assume v means version but given the documentation is clearly labelled as for Search Guard 6 :man_shrugging: