[role="xpack"]
[[using-kibana-with-security]]
== Configuring Security in Kibana
++++
<titleabbrev>Configuring Security</titleabbrev>
++++

{kib} users have to log in when {security} is enabled on your cluster. You
configure {security} roles for your {kib} users to control what data those users
can access.

Most requests made through {kib} to {es} are authenticated by using the
credentials of the logged-in user. There are, however, a few internal requests
that the {kib} server needs to make to the {es} cluster. For this reason, you
must configure credentials for the {kib} server to use for those requests.

With {security} enabled, if you load a {kib} dashboard that accesses data in an
index that you are not authorized to view, you get an error that indicates the
index does not exist. {security} does not currently provide a way to control
which users can load which dashboards.

To use {kib} with {security}:

. {ref}/configuring-security.html[Configure security in {es}].

. Configure {kib} to use the appropriate built-in user.
+
--
Update the following settings in the `kibana.yml` configuration
file:

[source,yaml]
-----------------------------------------------
elasticsearch.username: "kibana"
elasticsearch.password: "kibanapassword"
-----------------------------------------------

The {kib} server submits requests as this user to access the cluster monitoring
APIs and the `.kibana` index. The server does _not_ need access to user indices.

The password for the built-in `kibana` user is typically set as part of the
{security} configuration process on {es}. For more information, see
{stack-ov}/built-in-users.html[Built-in users].
--

. Set the `xpack.security.encryptionKey` property in the `kibana.yml`
configuration file. You can use any text string that is 32 characters or longer
as the encryption key.
+
--
[source,yaml]
--------------------------------------------------------------------------------
xpack.security.encryptionKey: "something_at_least_32_characters"
--------------------------------------------------------------------------------

For more information, see <<security-settings-kb,Security Settings in {kib}>>.
--

. Optional: Change the default session duration. By default, sessions stay
active until the browser is closed. To change the duration, set the
`xpack.security.sessionTimeout` property in the `kibana.yml` configuration file.
The timeout is specified in milliseconds. For example, set the timeout to 600000
to expire sessions after 10 minutes:
+
--
[source,yaml]
--------------------------------------------------------------------------------
xpack.security.sessionTimeout: 600000
--------------------------------------------------------------------------------
--

. Optional: <<configuring-tls,Configure {kib} to encrypt communications>>. 

. Restart {kib}.

[[kibana-roles]]
. Choose an authentication mechanism and grant users the privileges they need to
use {kib}.
+
--
For more information on Basic Authentication and additional methods of
authenticating {kib} users, see <<kibana-authentication>>.

You can manage privileges on the *Management / Security / Roles* page in {kib}.

If you're using the native realm with Basic Authentication, you can assign roles
using the *Management / Security / Users* page in {kib} or the
{ref}/security-api-users.html[User Management API]. For example, the following
creates a user named `jacknich` and assigns it the `kibana_user` role:

[source,js]
--------------------------------------------------------------------------------
POST /_xpack/security/user/jacknich
{
  "password" : "t0pS3cr3t",
  "roles" : [ "kibana_user" ]
}
--------------------------------------------------------------------------------
// CONSOLE
--

. Grant users access to the indices that they will be working with in {kib}.
+
--
TIP: You can define as many different roles for your {kib} users as you need.

For example, create roles that have `read` and `view_index_metadata` privileges
on specific index patterns. For more information, see
{xpack-ref}/authorization.html[Configuring Role-based Access Control].

--

. Verify that you can log in as a user. If you are running
{kib} locally, go to `https://localhost:5601` and enter the credentials for a
user you've assigned a {kib} user role. For example, you could log in as the
`jacknich` user created above.
+
--

NOTE: This must be a user who has been assigned the `kibana_user` role.
{kib} server credentials should only be used internally by the {kib} server.

--

For more information about the settings in these steps, see
<<security-settings-kb>>.

include::authentication/index.asciidoc[]
include::securing-communications/index.asciidoc[]
include::audit-logging.asciidoc[]
include::{kib-repo-dir}/settings/security-settings.asciidoc[]