Shield with Kibana 4
editShield with Kibana 4
editKibana 4 adds a server-side component that changes the integration with Shield and the steps required to configure Shield, Elasticsearch, and Kibana to work together. With Kibana 4, the browser makes requests to the Kibana 4 server, and not to Elasticsearch directly. The Kibana 4 server then makes requests to Elasticsearch on behalf of the browser. We recommend using separate roles for your users who log into Kibana and for the Kibana 4 server itself.
Configuring Roles for Kibana 4 Users
editKibana users need access to the indices that they will be working with and the .kibana
index where their
saved searches, visualizations, and dashboards are stored. Shield includes a default kibana4
role that grants
read access to all indices and full access to the .kibana
index.
The default Kibana 4 user role grants read access to all indices. We strongly recommend deriving custom roles for your Kibana users that limit access to specific indices according to your organization’s goals and policies.
kibana4: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices: '*': - indices:admin/mappings/fields/get - indices:admin/validate/query - indices:data/read/search - indices:data/read/msearch '.kibana': - indices:admin/create - indices:admin/exists - indices:admin/mapping/put - indices:admin/mappings/fields/get - indices:admin/refresh - indices:admin/validate/query - indices:data/read/get - indices:data/read/mget - indices:data/read/search - indices:data/write/delete - indices:data/write/index - indices:data/write/update - indices:admin/create
To constrain Kibana’s access to specific indices, explicitly specify the index names in your role. When configuring a role for a Kibana user and granting access to a specific index, at a minimum the user needs the following privileges on the index:
-
indices:admin/mappings/fields/get
-
indices:admin/validate/query
-
indices:data/read/search
-
indices:data/read/msearch
-
indices:admin/get
Configuring a Role for the Kibana 4 Server
editThe Kibana 4 server needs access to the cluster monitoring APIs and the .kibana
index. However, the server
does not need access to user indexes. The following kibana4_server
role shows the privileges required
by the Kibana 4 server.
This role is included in roles.yml by default as of Shield 1.1. If you are running an older version of Shield, you need to add it yourself.
kibana4_server: cluster: - cluster:monitor/nodes/info - cluster:monitor/health indices: '.kibana': - indices:admin/exists - indices:admin/mapping/put - indices:admin/mappings/fields/get - indices:admin/refresh - indices:admin/validate/query - indices:data/read/get - indices:data/read/mget - indices:data/read/search - indices:data/write/delete - indices:data/write/index - indices:data/write/update
To configure the Kibana 4 server, you must assign this role to a user and add the user credentials to kibana.yml
.
For more information, refer to Configuring Kibana to Work with Shield in the Kibana 4 User Guide.
Configuring Kibana 4 to Use SSL
editYou should also configure Kibana 4 to use SSL encryption for both client requests and the requests the Kibana server sends to Elasticsearch. For more information, refer to Enabling SSL in the Kibana 4 User Guide.