Is it possible to restrict an auth domain to a given CIDR ?
This could for insance be used to prevent the kibanaserver user to use the REST API from outside the organization.
Or is there another way to achieve this ?
actually I’m pretty worried about having to enable basic auth: the kibanaserver user can remove all kibana indices
I see there’s the new blocking
configuration options. That could help, if one could block users from certain net_masks or IPs, which it doesn’t seem to.
Yes, you can block by netmask: https://docs.search-guard.com/latest/main-concepts#block-user--ip-addressnet-mask. Also, you can use a firewall on the ES servers, for example, iptables if it is Linux.
but you can’t block a user from a certain mask only
the problem with the kibana user is that it’s granted access from everywhere, while it only needs access from the box running kibana. I don’t want to have world accessible basic auth just because of an Elasticsearch/Kibana limitation
You can allow the connection only from a secure subnet, for example
a_secure_subnet:
type: "net_mask"
value: ["192.168.1.0/24"]
verdict: "allow"
but that will be effective for all users, not just the kibana server user
Just a quick update on this topic:
This feature is now available since Search Guard 47:
Thanks so much for this !