How I configured Authorized Access to Kibana Dashboards

One most important missing feature of Kibana is authorized access to Kibana charts and dashboards, kibana/issues/1610. Implementing a workaround has been the most difficult part of my Twitter Analytics application. Check it out here.

PROBLEM STATEMENT: I want to allow end-users to play around with the graphs but without affecting other users. Users must be able to do queries to dig deeper and perform interesting analytics on the data. At the same time, they must not be allowed to modify or delete the given default charts or dashboards.

SOLUTION: Introduce a Nginx reverse proxy server between Elasticsearch cluster and Kibana server. Common users can do `GET` and `POST` to get the required data but not `PUT` and `DELETE` to modify the data. Only admin users can do such operations and modify the data or charts.

events {
  worker_connections  1024;
}

http {

  upstream elasticsearch {
      server es_container:9200;
  }

  # Allow read-only access to public
  #
  server {
      listen 8080;

      error_log   errors.log;
      access_log  access.log;

      location /nginx_status {
        stub_status on;
        access_log   off;
        allow 127.0.0.1;
        deny all;
      }

      set $posting 0;
      set $auth_switch "Admin Login";
      if ( $request_method = POST ){
          set $posting 1;
      }
      if ( $request_uri ~ ^/(_mget|_msearch)(.*)$ ){
          set $posting "${posting}1";
      }
      if ( $request_uri ~ ^/(.+)/(_search|config)(.*)$ ){
          set $posting "${posting}1";
      }

      if ( $request_method ~ ^(GET|OPTIONS|HEAD)$ ) {
          set $posting 11;
      }

      if ( $posting = 11 ){
          set $auth_switch off;
      }

      location / {
          auth_basic $auth_switch;
          auth_basic_user_file /htpasswd;
          proxy_pass http://elasticsearch;
          proxy_redirect off;
          proxy_http_version 1.1;
          proxy_set_header Connection "Keep-Alive";
          proxy_set_header Proxy-Connection "Keep-Alive";
      }
  }
}

Feel free to spot mistakes. You are welcome to contribute to this solution on Github

SHORTCOMING: All the user changes are lost when the user revisits the dashboard at a later time.  A workaround could be to bookmark the urls of modified content.

OTHER SOLUTIONS: There are multiple solutions available to secure your Elasticsearch data, ultimately securing your Kibana dashboards and charts (as all your Kibana elements are stored in .kibana index of your Elasticsearch). They are clearly documented in this article.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s