Shield with Kibana 4

edit

Kibana 4 adds a server-side component that changes the integration with Shield and the steps required to configure Shield, Elasticsearch, and Kibana to work together. With Kibana 4, the browser makes requests to the Kibana 4 server, and not to Elasticsearch directly. The Kibana 4 server then makes requests to Elasticsearch on behalf of the browser. We recommend using separate roles for your users who log into Kibana and for the Kibana 4 server itself.

Configuring Roles for Kibana 4 Users

edit

Kibana users need access to the indices that they will be working with and the .kibana index where their saved searches, visualizations, and dashboards are stored. Shield includes a default kibana4 role that grants read access to all indices and full access to the .kibana index.

The default Kibana 4 user role grants read access to all indices. We strongly recommend deriving custom roles for your Kibana users that limit access to specific indices according to your organization’s goals and policies.

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

To constrain Kibana’s access to specific indices, explicitly specify the index names in your role. When configuring a role for a Kibana user and granting access to a specific index, at a minimum the user needs the following privileges on the index:

  • indices:admin/mappings/fields/get
  • indices:admin/validate/query
  • indices:data/read/search
  • indices:data/read/msearch
  • indices:admin/get

Configuring a Role for the Kibana 4 Server

edit

The Kibana 4 server needs access to the cluster monitoring APIs and the .kibana index. However, the server does not need access to user indexes. The following kibana4_server role shows the privileges required by the Kibana 4 server.

This role is included in roles.yml by default as of Shield 1.1. If you are running an older version of Shield, you need to add it yourself.

kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

To configure the Kibana 4 server, you must assign this role to a user and add the user credentials to kibana.yml. For more information, refer to Configuring Kibana to Work with Shield in the Kibana 4 User Guide.

Configuring Kibana 4 to Use SSL

edit

You should also configure Kibana 4 to use SSL encryption for both client requests and the requests the Kibana server sends to Elasticsearch. For more information, refer to Enabling SSL in the Kibana 4 User Guide.