Authentication

[rashidkpc]

Kibana authentication layer, phase 1

In the first phase of Kibana’s authentication system we’re focus on just that: authentication. That is, a clean way of allowing for login, logout and sessions that doesn’t require HTTP basic auth to be configured or a proxy to be setup. Authentication will be disabled by default, but enabled via kibana.yml

The login screen

Like any other web application this provides the ability to enter a username and password which will be sent to the server for validation. If validation succeeds the user is allowed into the application, if not they are returned to the login screen.

The session

Before even presenting the login screen we need to check if the user is already logged in. This means we need to keep a session.

Because Elasticsearch has no built in authentication mechanism we don’t consider it a secure location for session storage, thus the user’s client will need to be the authority on the session. Here we’ll use an encrypted cookie containing username:password:timestamp which will be encrypted by the server using a key provided in kibana.yml.

Potential pitfall: Session stealing

Because the cookie will contain everything the user needs to login, it will be vulnerable to session stealing like many other applications. To mitigate this concern we 2 lines of defense:

• Session timeouts Also configurable in kibana.yml should be the session timeout. The server should validate the timestamp on the cookie and redirect the user to the login screen if it is older than the configured timeout allows. The timestamp on the cookie should be updated on every request. This could be infinite, however we should not recommend this.
• Required SSL If the user is using authentication, SSL is required. The server should fail to start if the user does not have SSL turned on, but does have authentication turned on.

Authentication strategies

Regardless of if the user is coming with existing credentials in a cookie, or via a new login, the user will need to be authenticated server side in some way. The user will in fact be re-validated with every request, thus allowing for users to be quickly invalidated simply by removing them from the auth system. Initially we’ll provide a pluggable authentication system with 2 pre-built modules:

• .htpasswd This simple method works just like apache’s, or Shield’s user list. A file containing user names and hashed passwords. The kibana backend will check this file and either allow or deny the user.
• Basic auth proxy In this case, the user’s credentials will be relayed to Elasticsearch’s / endpoint for authentication. If elasticsearch returns a 200, we let the user in, otherwise the user is logged out and returned to the login screen. In addition, the user’s credentials are included on every request to Elasticsearch from the backend. If at any point we receive a 401, the user will be logged out.

Implementing authentication strategies

The auth strategy module should contain 3 functions:

• init(server) Run to initialize the authentication strategy.
• authenticate(request, username, password) Run when attempting to establish the session for the first time, if the user does not have a cookie. It should return a promise that succeeds or fails. If it succeeds the user is issued a cookie, otherwise they are returned to the login screen.
• validate(request, session) (Optional) Run on every request, returns a promise that succeeds or fails. If it fails the user is logged out. The request can be modified here before being sent, including modifying cookies, headers, etc.

Logout

We should add a logout button to the navigation bar. When the user logs out they should be return to the login screen.

[rtoma]

Some feedback:

• +1 for including a timestamp in the session key.
• add logging of events like login (successful or failed) and session timeouts.
• add support for both basic & digest authentication password formats in .htpasswd (see https://httpd.apache.org/docs/2.2/misc/password_encryptions.html)

Please do not forget about authorization. Limiting access to the settings is one of the more popular feature requests.

[megastef]

+1 use passport for authentication https://www.npmjs.com/package/passport
All this exists already in the passport module.

1. Using http basich auth / .htpasswd is not sufficent - epecially enterprise users might want LDAP/Kerberos and other methods.
2. I would suggest to expose an API Hook (like you have already in auth.js) or even better integrate passport and read a configuration file (or .js file) for passport (which could be basic auth / .htpasswd as default)
3. The complete list of authentication Strategies supported by passport:
   https://github.com/jaredhanson/passport/wiki/Strategies

[AlexIoannides]

+1 for passport authentication.

[ssoto]

Passport apport many authentication Strategies
Easy way to add functionalities without many effort.
👍

[bluepuma77]

My two cents: Enable authentication by default.
a) Newbies who test deploy on internet servers do not expose data unintentionally
b) Pros will do configuration anyway, can simply switch it off

In case you wonder why: because humans make mistakes. And that would be bad press for Elastic.
Students find 40k unprotected MongoDB databases, 8 million telco customer records exposed

[elvarb]

.htpasswd is in my opinion not a good way. Hard to manage and basically just a pain. Implementing this will be a waste of time because eventually other and better options will be made.

Basic auth proxy is a valid way because then the user can use whatever authentication method on the reverse proxy. Nginx, Apache, IISARR, F5, Citrix, anything at all. For many people means that they dont have to change a thing since many are already using authentication on the reverse proxy.

If this is used then SSL should be on the reverse proxy side and optional on the Kibana side.

But yes +1 for passport, people need LDAP/Kerberos.

Are there any plans now for ACLs?

[tangyong]

Well, +1 for passport authentication.

[benediktarnold]

+1 for passport. This would allow me to use SAML

[andrely]

+1for LDAP/AD authentication.