maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/user/security/securing-kibana.asciidoc
Kaarina Tungseth c77619352b
[DOCS] 7.10 Core UI changes (#80407) 
* [DOCS] 7.10 screenCore UI changes

* Kibana access options

* Removed Kibana from Set up Kibana

* Removed rogue symbols

* Update docs/spaces/index.asciidoc

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* Update docs/management/managing-beats.asciidoc

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* Review comments

* Update docs/user/introduction.asciidoc

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* Review comments

* Changed menu to main menu

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
2020-10-22 09:06:51 -05:00

132 lines
4.7 KiB
Text
Raw Blame History

[role="xpack"]
[[using-kibana-with-security]]
== Configure security in {kib}
++++
<titleabbrev>Configure security</titleabbrev>
++++
{kib} users have to log in when {stack-security-features} are enabled on your
cluster. You configure roles for your {kib} users to control what data those
users can access.
Most requests made through {kib} to {es} are authenticated by using the
credentials of the logged-in user. There are, however, a few internal requests
that the {kib} server needs to make to the {es} cluster. For this reason, you
must configure credentials for the {kib} server to use for those requests.
With {security-features} enabled, if you load a {kib} dashboard that accesses
data in an index that you are not authorized to view, you get an error that
indicates the index does not exist. The {security-features} do not currently
provide a way to control which users can load which dashboards.
To use {kib} with {security-features}:
. {ref}/configuring-security.html[Configure security in {es}].
. Configure {kib} to use the appropriate built-in user.
+
--
Update the following settings in the `kibana.yml` configuration
file:
[source,yaml]
-----------------------------------------------
elasticsearch.username: "kibana_system"
elasticsearch.password: "kibanapassword"
-----------------------------------------------
The {kib} server submits requests as this user to access the cluster monitoring
APIs and the `.kibana` index. The server does _not_ need access to user indices.
The password for the built-in `kibana_system` user is typically set as part of
the security configuration process on {es}. For more information, see
{ref}/built-in-users.html[Built-in users].
--
. Set the `xpack.security.encryptionKey` property in the `kibana.yml`
configuration file. You can use any text string that is 32 characters or longer
as the encryption key.
+
--
[source,yaml]
--------------------------------------------------------------------------------
xpack.security.encryptionKey: "something_at_least_32_characters"
--------------------------------------------------------------------------------
For more information, see <<security-settings-kb,Security settings in {kib}>>.
--
. Configure {kib}'s session expiration settings. Set both the idle timeout and lifespan settings:
+
--
[source,yaml]
--------------------------------------------------------------------------------
xpack.security.session.idleTimeout: "1h"
xpack.security.session.lifespan: "30d"
--------------------------------------------------------------------------------
For more information, see <<xpack-security-session-management, Session management in {kib}>>.
--
. Optional: <<configuring-tls,Configure {kib} to encrypt communications>>.
. Optional: <<elasticsearch-mutual-tls,Configure {kib} to authenticate to {es} with a client certificate>>.
. Restart {kib}.
. [[kibana-roles]]Choose an authentication mechanism and grant users the privileges they need to
use {kib}.
+
--
For more information on Basic Authentication and additional methods of
authenticating {kib} users, see <<kibana-authentication>>.
To manage privileges, open the main menu, then click *Stack Management > Roles*.
If you're using the native realm with Basic Authentication, open then main menu,
then click *Stack Management > Users* to assign roles, or use the
{ref}/security-api.html#security-user-apis[user management APIs]. For example,
the following creates a user named `jacknich` and assigns it the `kibana_admin`
role:
[source,js]
--------------------------------------------------------------------------------
POST /_security/user/jacknich
{
"password" : "t0pS3cr3t",
"roles" : [ "kibana_admin" ]
}
--------------------------------------------------------------------------------
// CONSOLE
--
. Grant users access to the indices that they will be working with in {kib}.
+
--
TIP: You can define as many different roles for your {kib} users as you need.
For example, create roles that have `read` and `view_index_metadata` privileges
on specific index patterns. For more information, see
{ref}/authorization.html[User authorization].
--
. Verify that you can log in as a user. If you are running
{kib} locally, go to `https://localhost:5601` and enter the credentials for a
user you've assigned a {kib} user role. For example, you could log in as the user
`jacknich`.
+
--
NOTE: This must be a user who has been assigned <<kibana-privileges, Kibana privileges>>.
{kib} server credentials should only be used internally by the {kib} server.
--
include::authentication/index.asciidoc[]
include::securing-communications/index.asciidoc[]
include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
include::audit-logging.asciidoc[]
include::access-agreement.asciidoc[]
include::session-management.asciidoc[]
include::secure-saved-objects.asciidoc[]
Reference in a new issue View git blame Copy permalink