How to setup Kibana SSO (through OAuth)?

Question

My company tries very hard to keep a SSO for all third party services. I'd like to make Kibana work with our Google Apps accounts. Is that possible? How?

Answer 1

Use oauth2-proxy application and Kibana with configured anonymous authentication as on config below:

xpack.security.authc.providers:
  anonymous.anonymous1:
    order: 0
    credentials:
      username: "username"
      password: "password"

The user whose credentials are specified in the config can be created either via Kibana UI or Elasticsearch create or update users API.

Note! Kibana instance should not be publicly available, otherwise anybody will be able to access Kibana UI. Only the oauth2-proxy instance can be publicly available.

Answer 2

From Elasticsearch, Kibana 5.0, shield plugin (security plugin) is embedded in x-pack (paid service). So from Kibana 5.0 you can :

• use X-Pack
• use Search Guard

Both these plugin can be used with basic authentication, so you can apply an Oauth2 proxy like this one. One additionnal proxy would forward the request with the right Authorization header with the digest base64(username:password)

The procedure is depicted in this article for x-pack. So you will have :

I've setup a docker-compose configuration in this repo for using either searchguard or x-pack with Kibana/Elasticsearch 6.1.1 :

• docker-compose for searchguard
• docker-compose for x-pack

Answer 3

Kibana leaves it up to you to implement security. I believe that Elastic's Shield product has support for security-as-a-plugin, but I haven't navigated the subscription model or looked much into it.

The way that I handle this is by using an oauth2 proxy application and use nginx to reverse proxy to Kibana.

server {
    listen 80;
    server_name kibana.example.org;

    # redirect http->https while we're at it
    rewrite ^ https://$server_name$request_uri? permanent;
}

server {
    # listen for traffic destined for kibana.example.org:443
    listen 443 default ssl;

    server_name  kibana.example.org;
    ssl_certificate /etc/nginx/ssl/cert.crt;
    ssl_certificate_key /etc/nginx/ssl/cert.key.pem;
    add_header Strict-Transport-Security max-age=1209600;

    # for https://kibana.example.org/, send to our oauth2 proxy app
    location / {

        # the oauth2 proxy application i use listens on port :4180
        proxy_pass http://127.0.0.1:4180;
        # preserve our host and ip from the request in case we want to
        # dispatch the request to a named nginx directive
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 15;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}

The request comes in, triggers an nginx directive that sends the request to the ouath application, which in turn handles the SSO resource and redirects to a listening Kibana instance on the server's localhost. It's secure because connections cannot be made directly to Kibana.