Our Kibana/Elasticsearch server is protected with Searchguard.
Some users ask us to install a third-party plugin they are developing on the Kibana server.
However, I’m afraid that they can bypass Searchguard plugin and thus, compromise the security of the server…
Is it possible for a Kibana plugin to bypass Searchguard (authentication and authorization)? Any other recommendations about Searchguard and third-party plugins compatibility?
First, all security checks are implemented in the Elaticsearch plugin, not in Kibana. This includes auth/auth. So from that point of view there should be no risk.
However - since any plugin runs on the node.js/hapi layer, it can intercept any request between Kibana and Elasticsearch. This means a malicious plugin author could sniff authentication credentials or otherwise modify the Authorization header. This is always a potential riks and depends on how thoroughly plugins are reviewed before installing them.
The SG features like auth/auth should be transparent to other plugins, however, third-party plugin compatibility is at the moment not part of our integration tests.
···
On Thursday, September 20, 2018 at 4:07:18 PM UTC+2, Sylvain wrote:
Our Kibana/Elasticsearch server is protected with Searchguard.
Some users ask us to install a third-party plugin they are developing on the Kibana server.
However, I’m afraid that they can bypass Searchguard plugin and thus, compromise the security of the server…
Is it possible for a Kibana plugin to bypass Searchguard (authentication and authorization)? Any other recommendations about Searchguard and third-party plugins compatibility?