{kib} users have to log in when {security} is enabled on your cluster. You configure {security} roles for your {kib} users to control what data those users can access.
Most requests made through {kib} to {es} are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the {kib} server needs to make to the {es} cluster. For this reason, you must configure credentials for the {kib} server to use for those requests.
With {security} enabled, if you load a {kib} dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. {security} do not currently provide a way to control which users can load which dashboards.
To use {kib} with {security}:
-
{ref}/configuring-security.html[Configure security in {es}].
-
Configure {kib} to use the appropriate built-in user.
Update the following settings in the
kibana.ymlconfiguration file:elasticsearch.username: "kibana" elasticsearch.password: "kibanapassword"
The {kib} server submits requests as this user to access the cluster monitoring APIs and the
.kibanaindex. The server does not need access to user indices.The password for the built-in
kibanauser is typically set as part of the {security} configuration process on {es}. For more information, see {ref}/built-in-users.html[Built-in users]. -
Set the
xpack.security.encryptionKeyproperty in thekibana.ymlconfiguration file. You can use any text string that is 32 characters or longer as the encryption key.xpack.security.encryptionKey: "something_at_least_32_characters"
For more information, see Security Settings in {kib}.
-
Optional: Set a timeout to expire idle sessions. By default, a session stays active until the browser is closed. To define a sliding session expiration, set the
xpack.security.session.idleTimeoutproperty in thekibana.ymlconfiguration file. The idle timeout is formatted as a duration of<count>[ms|s|m|h|d|w|M|Y](e.g. '70ms', '5s', '3d', '1Y'). For example, set the idle timeout to expire idle sessions after 10 minutes:xpack.security.session.idleTimeout: "10m"
-
Optional: Change the maximum session duration or "lifespan" — also known as the "absolute timeout". By default, a session stays active until the browser is closed. If an idle timeout is defined, a session can still be extended indefinitely. To define a maximum session lifespan, set the
xpack.security.session.lifespanproperty in thekibana.ymlconfiguration file. The lifespan is formatted as a duration of<count>[ms|s|m|h|d|w|M|Y](e.g. '70ms', '5s', '3d', '1Y'). For example, set the lifespan to expire sessions after 8 hours:xpack.security.session.lifespan: "8h"
-
Optional: Configure {kib} to encrypt communications.
-
Optional: Configure {kib} to authenticate to {es} with a client certificate.
-
Restart {kib}.
-
Choose an authentication mechanism and grant users the privileges they need to use {kib}.
For more information on Basic Authentication and additional methods of authenticating {kib} users, see [kibana-authentication].
You can manage privileges on the Management / Security / Roles page in {kib}.
If you’re using the native realm with Basic Authentication, you can assign roles using the Management / Security / Users page in {kib} or the {ref}/security-api.html#security-user-apis[user management APIs]. For example, the following creates a user named
jacknichand assigns it thekibana_adminrole:POST /_security/user/jacknich { "password" : "t0pS3cr3t", "roles" : [ "kibana_admin" ] }
-
Grant users access to the indices that they will be working with in {kib}.
TipYou can define as many different roles for your {kib} users as you need. For example, create roles that have
readandview_index_metadataprivileges on specific index patterns. For more information, see {ref}/authorization.html[User authorization]. -
Verify that you can log in as a user. If you are running {kib} locally, go to
https://localhost:5601and enter the credentials for a user you’ve assigned a {kib} user role. For example, you could log in as the userjacknich.NoteThis must be a user who has been assigned Kibana privileges. {kib} server credentials should only be used internally by the {kib} server.