kibana/docs/production.asciidoc

[[production]]
== Using Kibana in a Production Environment
When you set up Kibana in a production environment, rather than on your local
machine, you need to consider:

* Where you are going to run Kibana.
* Whether you need to encrypt communications to and from Kibana.
* If you need to control access to your data.

=== Deployment Considerations
How you deploy Kibana largely depends on your use case. If you are the only user,
you can run Kibana on your local machine and configure it to point to whatever 
Elasticsearch instance you want to interact with. Conversely, if you have a large 
number of heavy Kibana users, you might need to load balance across multiple
Kibana instances that are all connected to the same Elasticsearch instance.

While Kibana isn't terribly resource intensive, we still recommend running Kibana 
on its own node, rather than on one of your Elasticsearch nodes. 

=== Configuring Kibana to Work with Shield
If you are using Shield to authenticate Elasticsearch users, you need to provide
Kibana with user credentials so it can access the `.kibana` index. The Kibana user
needs permission to perform the following actions on the `.kibana` index:

----
'.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create
----

For more information about configuring access in Shield, 
see https://www.elasticsearch.org/guide/en/shield/current/_shield_with_kibana_4.html[Shield with Kibana 4]
in the Shield documentation.

To configure credentials for Kibana, set the `kibana_elasticsearch_username` and
`kibana_elasticsearch_password` properties in `kibana.yml`:

----
# If your Elasticsearch is protected with basic auth:
kibana_elasticsearch_username: kibana4
kibana_elasticsearch_password: kibana4
----
=== Enabling SSL
Kibana supports SSL encryption for both client requests and the requests the Kibana server 
sends to Elasticsearch.

To encrypt communications between the browser and the Kibana server, you configure the `ssl_key_file `and `ssl_cert_file` properties in `kibana.yml`:

----
# SSL for outgoing requests from the Kibana Server (PEM formatted)
ssl_key_file: /path/to/your/server.key
ssl_cert_file: /path/to/your/server.crt
----

If you are using Shield or a proxy that provides an HTTPS endpoint for Elasticsearch, 
you can configure Kibana to access Elasticsearch via HTTPS so communications between
the Kibana server and Elasticsearch are encrypted. 

To do this, you specify the HTTPS
protocol when you configure the Elasticsearch URL in `kibana.yml`:

----
elasticsearch: "https://<your_elasticsearch_host>.com:9200"
----

If you are using a self-signed certificate for Elasticsearch, set the `ca` property in
`kibana.yml` to specify the location of the PEM file. Setting the `ca` property lets you  leave the `verify_ssl` option enabled.
----
# If you need to provide a CA certificate for your Elasticsarech instance, put
# the path of the pem file here.
ca: /path/to/your/ca/cacert.pem
----

=== Controlling access
You can use http://www.elasticsearch.org/overview/shield/[Elasticsearch Shield] 
(Shield) to control what Elasticsearch data users can access through Kibana. 
Shield provides index-level access control. If a user isn't authorized to run 
the query that populates a Kibana visualization, the user just sees an empty 
visualization. 

To configure access to Kibana using Shield, you create one or more Shield roles 
for Kibana using the `kibana4` default role as a starting point. For more 
information, see http://www.elasticsearch.org/guide/en/shield/current/_shield_with_kibana_4.html[Using Shield with Kibana 4].