我的书签
添加书签
移除书签Configure security in Kibana
Kibana users have to log in when Elastic Stack security features are enabled on your cluster. You configure roles for your Kibana users to control what data those users can access.
Most requests made through Kibana to Elasticsearch are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the Kibana server needs to make to the Elasticsearch cluster. For this reason, you must configure credentials for the Kibana server to use for those requests.
With security features enabled, if you load a Kibana dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. The security features do not currently provide a way to control which users can load which dashboards.
To use Kibana with security features:
- Configure security in Elasticsearch.
Configure Kibana to use the appropriate built-in user.
Update the following settings in the
kibana.ymlconfiguration file:elasticsearch.username: "kibana_system"elasticsearch.password: "kibanapassword"
The Kibana server submits requests as this user to access the cluster monitoring APIs and the
.kibanaindex. The server does not need access to user indices.The password for the built-in
kibana_systemuser is typically set as part of the security configuration process on Elasticsearch. For more information, see Built-in users.Set the
xpack.security.encryptionKeyproperty in thekibana.ymlconfiguration file. You can use any text string that is 32 characters or longer as the encryption key.xpack.security.encryptionKey: "something_at_least_32_characters"
For more information, see Security settings in Kibana.
Optional: Set a timeout to expire idle sessions. By default, a session stays active until the browser is closed. To define a sliding session expiration, set the
xpack.security.session.idleTimeoutproperty in thekibana.ymlconfiguration file. The idle timeout is formatted as a duration of<count>[ms|s|m|h|d|w|M|Y](e.g. 70ms, 5s, 3d, 1Y). For example, set the idle timeout to expire idle sessions after 10 minutes:xpack.security.session.idleTimeout: "10m"
Optional: Change the maximum session duration or “lifespan” — also known as the “absolute timeout”. By default, a session stays active until the browser is closed. If an idle timeout is defined, a session can still be extended indefinitely. To define a maximum session lifespan, set the
xpack.security.session.lifespanproperty in thekibana.ymlconfiguration file. The lifespan is formatted as a duration of<count>[ms|s|m|h|d|w|M|Y](e.g. 70ms, 5s, 3d, 1Y). For example, set the lifespan to expire sessions after 8 hours:xpack.security.session.lifespan: "8h"
Optional: Configure Kibana to encrypt communications.
- Optional: Configure Kibana to authenticate to Elasticsearch with a client certificate.
- Restart Kibana.
Choose an authentication mechanism and grant users the privileges they need to use Kibana.
For more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication.
To manage privileges, open the menu, then go to Stack Management > Security > Roles.
If you’re using the native realm with Basic Authentication, open then menu, then go to Stack Management > Security > Users to assign roles, or use the user management APIs. For example, the following creates a user named
jacknichand assigns it thekibana_adminrole:POST /_security/user/jacknich{"password" : "t0pS3cr3t","roles" : [ "kibana_admin" ]}
Grant users access to the indices that they will be working with in Kibana.
You can define as many different roles for your Kibana users as you need.
For example, create roles that have
readandview_index_metadataprivileges on specific index patterns. For more information, see User authorization.Verify that you can log in as a user. If you are running Kibana locally, go to
https://localhost:5601and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the userjacknich.This must be a user who has been assigned Kibana privileges. Kibana server credentials should only be used internally by the Kibana server.
