On the Elasticsearch cluster I work with we have hundreds of people using Kibana. The only viable way to manage authentication is to hook Search Guard up to our organisation’s LDAP service. But that means everyone in the organisation can log in to Kibana. Most of them can’t see anything once they do because they’re not in any roles, but there are tens of thousands of people who can log in to Kibana when there is no reason for them to be able to do so.
Is there a way to limit the users that Kibana will allow to log in to a defined list? The closest thing I can find is searchguard.basicauth.forbidden_usernames which is the exact opposite of what I’m looking for. (It is not in any way realistic for us to populate searchguard.basicauth.forbidden_usernames with a list of everyone who should not be able to log in.)
At the moment we only support blacklisting (the “forbidden_usernames” feature), but I do understand your use case here. I think to have the possibility to chose between blacklisting and whitelisting would be a useful addition.
@Mike I think this would be fairly straight forward to implement, no? If so, could you please create a corresponding issue in the backlog? Thx!
The setting we’re using works so I guess we’re using v13 and below but I’ve no idea what v13 or v14 mean. I would assume v means version but given the documentation is clearly labelled as for Search Guard 6