b76f8c00ab
This adds an absolute session timeout (lifespan) to user sessions. It also improves the existing session timeout toast and the overall user experience in several ways.
64 lines
2.7 KiB
Text
64 lines
2.7 KiB
Text
[role="xpack"]
|
|
[[security-settings-kb]]
|
|
=== Security settings in Kibana
|
|
++++
|
|
<titleabbrev>Security settings</titleabbrev>
|
|
++++
|
|
|
|
You do not need to configure any additional settings to use the
|
|
{security-features} in {kib}. They are enabled by default.
|
|
|
|
[float]
|
|
[[general-security-settings]]
|
|
==== General security settings
|
|
|
|
`xpack.security.enabled`::
|
|
By default, {kib} automatically detects whether to enable the
|
|
{security-features} based on the license and whether {es} {security-features}
|
|
are enabled.
|
|
+
|
|
Do not set this to `false`; it disables the login form, user and role management
|
|
screens, and authorization using <<kibana-privileges>>. To disable
|
|
{security-features} entirely, see
|
|
{ref}/security-settings.html[{es} security settings].
|
|
|
|
`xpack.security.audit.enabled`::
|
|
Set to `true` to enable audit logging for security events. By default, it is set
|
|
to `false`. For more details see <<xpack-security-audit-logging>>.
|
|
|
|
[float]
|
|
[[security-ui-settings]]
|
|
==== User interface security settings
|
|
|
|
You can configure the following settings in the `kibana.yml` file:
|
|
|
|
`xpack.security.cookieName`::
|
|
Sets the name of the cookie used for the session. The default value is `"sid"`.
|
|
|
|
`xpack.security.encryptionKey`::
|
|
An arbitrary string of 32 characters or more that is used to encrypt credentials
|
|
in a cookie. It is crucial that this key is not exposed to users of {kib}. By
|
|
default, a value is automatically generated in memory. If you use that default
|
|
behavior, all sessions are invalidated when {kib} restarts.
|
|
In addition, high-availability deployments of {kib} will behave unexpectedly
|
|
if this setting isn't the same for all instances of {kib}.
|
|
|
|
`xpack.security.secureCookies`::
|
|
Sets the `secure` flag of the session cookie. The default value is `false`. It
|
|
is set to `true` if `server.ssl.certificate` and `server.ssl.key` are set. Set
|
|
this to `true` if SSL is configured outside of {kib} (for example, you are
|
|
routing requests through a load balancer or proxy).
|
|
|
|
`xpack.security.session.idleTimeout`::
|
|
Sets the session duration (in milliseconds). By default, sessions stay active
|
|
until the browser is closed. When this is set to an explicit idle timeout, closing
|
|
the browser still requires the user to log back in to {kib}.
|
|
|
|
`xpack.security.session.lifespan`::
|
|
Sets the maximum duration (in milliseconds), also known as "absolute timeout". By
|
|
default, a session can be renewed indefinitely. When this value is set, a session
|
|
will end once its lifespan is exceeded, even if the user is not idle. NOTE: if
|
|
`idleTimeout` is not set, this setting will still cause sessions to expire.
|
|
|
|
`xpack.security.loginAssistanceMessage`::
|
|
Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.
|