Reverse Proxy - Windows Credentials #2419
Comments
|
You would need to setup a proxy of some kind. Kibana does not offer formal support for authentication |
|
I don't think what you are saying would work. In Kibana3, the UI can be instructed to pass credentials to Elasticsearch. Therefore, Elasticsearch can be hidden behind a proxy which enforces authentication (NTLM or Kerberos). When Kibana3 calls the Elasticsearch proxy, the authentication is handled by the browser. With the direction that Kibana4 has gone, there is a ruby application in the middle that proxies the Elasticsearch calls. If the ruby application doesn't handle authentication with the Elasticsearch proxy, then how can the call be made? All in all this seems to prevent us from putting our Elasticsearch clusters behind a secure endpoint. Please correct me if I am wrong about any of this. |
|
I'm using Kibana 4 just fine behind a Apache reverse proxy doing Kerberos auth. I've then firewalled my ES cluster to only allow connections from the server running Kibana (or I could have put the Kibana server on one of my ES hosts, although for heavier usage that might not be a good idea). This is similar to eg. logstash ES ingest - logstash AFAIK doesn't support ES auth either, you secure it with firewalls etc. |
|
While that will work, I wonder how Kibana4 will fit in with Shield.
|
With the newly added service component that is proxying calls to elasticsearch how do we use Windows credentials (NTLM or Kerberos) rather than the basic auth that is currently supported?
The text was updated successfully, but these errors were encountered: