Skip to main content
We're migrating our documentation. 🚀 Check out our new docs site: docs.saagie.io
Help Center

Articles in this section

Configuring Security on Elastic / Kibana

Avatar
Team Service
  • Updated

Starting from Elastic 6.8, the security features are now available with the Basic License (previously, these core security features required a paid Gold subscription), including : 

  • TLS for encrypted communications
  • File and native realm for creating and managing users
  • Role-based access control for controlling user access to cluster APIs and indexes; also allows multi-tenancy for Kibana with security for Kibana Spaces

If you're using Kibana on Saagie, you can benefit from these features and now segregate access to your ES indices or Kibana Dashboards with roles.

Configuring Elastic Search

If your Elastic Search version is >= 6.8 this means your ES cluster is already configured with the default security configuration (using native realm). Your platform admin should have the password for the built-in elastic user (see here for more details) which is the superuser that can manage users and roles.

Configuring Kibana

You can deploy Kibana on Saagie through a Smart App.

Before doing so, make sure you have the following environment variables configured : 

  • $ELASTICSEARCH_USERNAME  : kibana
  • $ELASTICSEARCH_PASSWORD : <ask your admin for the kibana user password>

mceclip2.png

When doing so, just make sure to use an official Kibana docker image >= 6.8 (e.g. docker.elastic.co/kibana/kibana:6.8.1)

mceclip1.png

Managing Security

Managing Users and Roles

To configure users and roles in the Elastic suite, you can use the Elastic Security API or use Kibana to do so. We recommend the 2nd option which is easier and more visual.

Kibana security screen

To allow Kibana to show the security screen under the Management console, you need to set the the xpack.security.enabled option to true to enable it. For that, just create the following environment variable in Saagie and start/restart your Kibana Smart App : 

  • $XPACK_SECURITY_ENABLED : true

Then you can connect to Kibana using the elastic superuser kibi-ok.jpg

Managing Kibana Spaces

Starting from version 6.5, Kibana introduces the Spaces feature which, paired with the RBAC feature, can allow you to specifiy which users/roles will have access to the different spaces and define inside each space your own visualisations and dashboards.

https://www.elastic.co/fr/blog/introducing-kibana-spaces-for-organization-and-security

Example

Let's say I've created some monitoring visualizations and I want to create some dashboards within Kibana that only a specific sets of users would be granted read-only access. These users won't have access to anything else in Kibana. I also want to create a user that will ingest metrics into Elastic Search but won't be able to connect to Kibana.

For that I need : 

  1. monitoring_writer role with full access to the monitoring indice in ES  2019-07-22_17.11.05.gif
  2. An Elastic user with the monitoring_writer role mceclip0.png
  3. A Kibana space called Monitoring mceclip1.png
  4. monitoring_reader user that will access only the Monitoring space and the monitoring ES indice in read-only  2019-07-22_17.13.09.gif
  5. A Kibana user with the monitoring_reader role mceclip2.png
  6. To import my dashboards inside the Monitoring space mceclip3.png
  7. Reconnect to Kibana with the monitoring_viewer user and have a look at your dashboards inside the Monitoring space! 2019-07-22_17.20.04.gif

 

 

Related articles

Comments

0 comments

Article is closed for comments.