How to authenticate in order to access Kibana 2.0? - kibana

Q: Kibana is great, but I want to make it so users have to authenticate in order to access it. How do I do that? A: This can be handled a number of ways. The best way is to run Kibana with Passenger and Apache or Nginx. There's sample configurations in the sample directory. You can then handle your preferred authentication mechanism with Apache or Nginx.
How do I do this? I do not use any of these programs. Could someone give me a basic overview of what I have to do? Any help would be nice I am a Student and learning but I need help to stay going, I don't know everything.
I am running Ubuntu.

Well, actually even if you make a kind of authentication against Kibana it won't be enough. As you probably know Kibana runs over Elasticsearch, so even if you "limit" permissions to Kibana , everyone can still have access to elastic search and see existed indeces or even create new ones. So, the main question is whether you can manage AuthN && AuthZ against ElasticSearch.

For authentication you can integrate Kibana/ElasticSearch with any framework (example Play,Spring MVC etc) which ever your are using.Create a login page (authentication) using the framework,point the Kibana to web server/app server embedded in the framework and pass the kibana request to Elastic Search and response from Elastic Search to Kibana through this framework.Basically this framework will be a mediator between kibana and ElasticSearch.Also need to block the Elastic Search server port,so that no body could directly access the ES.
Kibana<-->Intermediate Framework<-->Elastic Search
Hope this helps!

Related

Can I add a domain to Firebase hosting via the API?

I want to be able to add domains to Firebase hosting with the API instead of the web UI, is that possible?
I want to add potentially hundreds of domains, is there a domain limit per project in Firebase?
As far as I can tell from the entire CLI documentation, there isn't any way to do this.
Lets take a step back and consider what the web UI process involves i.e. the generation of a TXT record to add to your DNS records, after verifying the presence of said TXT record on the domain, providing A records that you (authorized owner) add to allow redirecting to your firebase hosted site.
In my opinion, this very manual back and forth is necessary as a security measure. The only way it is taken out of the equation via the CLI is by providing a means for you to authenticate ownership of a domain (registered with any one of many domain registrars), and being granted authorization to change your A records. These are both outside the scope of Firebase, and could potentially introduce severe security flaws. Regardless, even if it existed, it would still have to be step-by-step and somewhat manual via CLI rather than the single command it sounds like you're looking for.
It is not possible to add custom domains automatically through an API at this time.
Nor would it allow you to create a reseller or multi-tenant project (i.e. connect a large number of domains or subdomains dynamically) since you cannot connect more than about 36 domains connected to one project.
It's possible to add domains using Firebase Hosting Rest Api. I am not sure why they didn't put it on their official website but I checked today and it works. https://developers.google.com/resources/api-libraries/documentation/firebasehosting/v1beta1/java/latest/com/google/api/services/firebasehosting/v1beta1/FirebaseHosting.Sites.Domains.html
Answer that I've received from Firebase support:
There is no API yet that would allow you to add custom domains, it was
requested as a feature before but unfortunately we have no more
information on that - so for now, only the Console UI allows you to do
it.
When it comes to the limits, in a project, a custom domain is
attached to a site - there can be 36 sites per project, and for one
site there is no hard limit, but we recommend not exceeding 20 custom
domains. You can experience technical issues with SSL certs when you
exceed 20 domains per site, which we won’t be able to troubleshoot
since the system was not designed for such use cases.

Can NGINX be used to route traffic to a Firebase project?

It's unclear for me and I haven't attempted yet, but would like to know if I can have a NGINX server routing traffic to a Firebase instance. I can't find relevant articles on internet and neither here so, maybe some fo you already tried this.
Background:
Our React app is running on Firebase already. But, we also have a landing page/website which is backed by Webflow.io to allow quicker edits with less developer frustration. They are also running on separate domains.
We already have an instance of NGINX(inside a docker container) as part of our API gateway so, would be good to use the same instance.
Result:
What we are looking to achieve, is to put both React app and landing page on the same domain. Then, use NGINX to route to required instance wether the user is logged-in or not. Anyone attempted something like this? If not this doesn't work, I'm open to general ideas on how to make it better from your experience.
You can totally do this, for example if you're using OAuth you can perform a token introspection from nginx whose result will determine the route to use, take a look at this https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/
Alternatively you can use something similar to the google IAP that is probabely more easy to secure for production, i know that ory/oauthkeeper is easy to use, open source and hightly customizable.

Permission error on user management

We just set up elasticsearch, logstash and kibana on our swisscom application cloud instance. Now when I log in into kibana with the full_access_username and full_access_password I can do almost everything except adding new users and manage existing ones under settings - user management.
There I always get a message saying:
You do not have permission to manage users. Please contact your administrator.
Does anyone of you has an idea on how to fix that?
We d like to have different users and give them permissions on some indices and attributes only.
Thanks in advance for your help.
As Swisscom provides their Elasticsearch Service as managed, you have some limitations in terms of administrative functions. At the time of writing this includes cluster and user management as well as watches.
You can provide new users by creating service-keys cf create-service-key <service-instance-name> <service-key-name>.

Can someone please explain how to use Kibana dashboards from a .Net web application without viewing other users' data?

In an forthcoming web application, we will be using ElasticSearch as the repo for our .Net-based web application.
I would like to be able to create a set of dashboards in Kibana that will reflect each user's specific data. That is, a logged in user will see their own data reflected in the Kibana dashboard. I would also like to allow users to create their own dashboards through Kibana as well.
I have read about Shield and user roles in the Kibana documentation, but I am unclear as to whether or not this is necessary.
In terms of our proposed architecture, the Kibana and ES server are blocked from the outside world, only accessible by web server requests (.Net application). User authentication has already been done through the .Net application, and request filtering implemented in a way that the logged-in userID is appended to all data queries.
Is it possible to send filtered (parameterized) requests for data to Kibana, and is it possible to accomplish this, if so, how?
Thank you.

How to achieve that user is also the author of a task in Phabricator's Maniphest via Conduit API?

The Conduit API in Phabricator does not support setting of authorPHID parameter while calling maniphest.createtask. I can imagine this is because of security or some logical reason.
But I am developping my own frontend for Maniphest where the users (logged through Phabricator, so they are phab users and have phid) will add and edit tasks. What I need is that if a user creates task, he is also the author of the task.
But the problem is, that I can't connect to Conduit as any other user than "apibot" because I don't have others certificates in my front-end to do it. But if I log in as "apibot", then "apibot" is set as an author of the task.
Three possible solutions came to my mind:
1. retrieve certificate directly from phab's database
2. keep a list of certificates in some file in my front-end and update it manually everytime somebody will register
I guess none of them are really smart...
The third solution would be nice, but I didn't find a way, how to do it:
3. log in as "apibot", get certificate of userXY and then log in as the userXY
What would you suggest?

Resources