128 lines
5.4 KiB
Text
128 lines
5.4 KiB
Text
[role="xpack"]
|
|
[[using-kibana-with-security]]
|
|
== Configure security in {kib}
|
|
++++
|
|
<titleabbrev>Configure security</titleabbrev>
|
|
++++
|
|
|
|
{kib} users have to log in when {stack-security-features} are enabled on your
|
|
cluster. You configure roles for your {kib} users to control what data those
|
|
users can access.
|
|
|
|
Most requests made through {kib} to {es} are authenticated by using the
|
|
credentials of the logged-in user. There are, however, a few internal requests
|
|
that the {kib} server needs to make to the {es} cluster. For this reason, you
|
|
must configure credentials for the {kib} server to use for those requests.
|
|
|
|
With {security-features} enabled, if you load a {kib} dashboard that accesses
|
|
data in an index that you are not authorized to view, you get an error that
|
|
indicates the index does not exist. The {security-features} do not currently
|
|
provide a way to control which users can load which dashboards.
|
|
|
|
To use {kib} with {security-features}:
|
|
|
|
. {ref}/configuring-security.html[Configure security in {es}].
|
|
|
|
. Configure {kib} to use the appropriate built-in user.
|
|
+
|
|
--
|
|
Update the following settings in the `kibana.yml` configuration
|
|
file:
|
|
|
|
[source,yaml]
|
|
-----------------------------------------------
|
|
elasticsearch.username: "kibana_system"
|
|
elasticsearch.password: "kibanapassword"
|
|
-----------------------------------------------
|
|
|
|
The {kib} server submits requests as this user to access the cluster monitoring
|
|
APIs and the `.kibana` index. The server does _not_ need access to user indices.
|
|
|
|
NOTE: The password for the built-in `kibana_system` user is typically set as part of the security configuration process on {es}. For more
|
|
information, see {ref}/built-in-users.html[Built-in users].
|
|
--
|
|
|
|
. Set the `xpack.security.encryptionKey` property in the `kibana.yml`
|
|
configuration file. You can use any text string that is 32 characters or longer
|
|
as the encryption key.
|
|
+
|
|
--
|
|
[source,yaml]
|
|
--------------------------------------------------------------------------------
|
|
xpack.security.encryptionKey: "something_at_least_32_characters"
|
|
--------------------------------------------------------------------------------
|
|
|
|
For more information, see <<security-settings-kb,Security settings in {kib}>>.
|
|
--
|
|
|
|
. Configure {kib}'s session expiration settings. Set both the idle timeout and lifespan settings:
|
|
+
|
|
--
|
|
[source,yaml]
|
|
--------------------------------------------------------------------------------
|
|
xpack.security.session.idleTimeout: "1h"
|
|
xpack.security.session.lifespan: "30d"
|
|
--------------------------------------------------------------------------------
|
|
|
|
For more information, see <<xpack-security-session-management, Session management in {kib}>>.
|
|
--
|
|
|
|
. Optional: <<configuring-tls,Configure {kib} to encrypt communications>>.
|
|
|
|
. Optional: <<elasticsearch-mutual-tls,Configure {kib} to authenticate to {es} with a client certificate>>.
|
|
|
|
. Restart {kib}.
|
|
|
|
. Temporarily log in to {kib} using the built-in `elastic` superuser so you can create new users and assign roles. If you are running {kib}
|
|
locally, go to `https://localhost:5601` to view the login page.
|
|
+
|
|
NOTE: The password for the built-in `elastic` user is typically set as part of the security configuration process on {es}. For more
|
|
information, see {ref}/built-in-users.html[Built-in users].
|
|
|
|
. [[kibana-roles]]Create roles and users to grant access to {kib}.
|
|
+
|
|
--
|
|
To manage privileges in {kib}, open the main menu, then click *Stack Management > Roles*. The built-in `kibana_admin` role will grant
|
|
access to {kib} with administrator privileges. Alternatively, you can create additional roles that grant limited access to {kib}.
|
|
|
|
If you're using the default native realm with Basic Authentication, open the main menu, then click *Stack Management > Users* to create
|
|
users and assign roles, or use the {es} {ref}/security-api.html#security-user-apis[user management APIs]. For example, the following creates
|
|
a user named `jacknich` and assigns it the `kibana_admin` role:
|
|
|
|
[source,js]
|
|
--------------------------------------------------------------------------------
|
|
POST /_security/user/jacknich
|
|
{
|
|
"password" : "t0pS3cr3t",
|
|
"roles" : [ "kibana_admin" ]
|
|
}
|
|
--------------------------------------------------------------------------------
|
|
// CONSOLE
|
|
|
|
TIP: For more information on Basic Authentication and additional methods of authenticating {kib} users, see <<kibana-authentication>>.
|
|
--
|
|
|
|
. Grant users access to the indices that they will be working with in {kib}.
|
|
+
|
|
--
|
|
TIP: You can define as many different roles for your {kib} users as you need.
|
|
|
|
For example, create roles that have `read` and `view_index_metadata` privileges
|
|
on specific index patterns. For more information, see
|
|
{ref}/authorization.html[User authorization].
|
|
|
|
--
|
|
|
|
. Log out of {kib} and verify that you can log in as a normal user. If you are running {kib} locally, go to `https://localhost:5601` and
|
|
enter the credentials for a user you've assigned a {kib} user role. For example, you could log in as the user `jacknich`.
|
|
+
|
|
NOTE: This must be a user who has been assigned <<kibana-privileges, Kibana privileges>>. {kib} server credentials (the built-in
|
|
`kibana_system` user) should only be used internally by the {kib} server.
|
|
|
|
include::authentication/index.asciidoc[]
|
|
include::securing-communications/index.asciidoc[]
|
|
include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
|
|
include::audit-logging.asciidoc[]
|
|
include::access-agreement.asciidoc[]
|
|
include::session-management.asciidoc[]
|
|
include::secure-saved-objects.asciidoc[]
|