Configure security in Kibana

edit

Configure security in Kibana

edit

When you start Elasticsearch for the first time, Elastic Stack security features are enabled on your cluster and TLS is configured automatically. The security configuration process generates a password for the elastic user and an enrollment token for Kibana. Start the Elastic Stack with security enabled and then enroll Kibana as part of the configuration process.

You can then log in to Kibana as the elastic user to create additional roles and users.

When a user is not authorized to view data in an index (such as an Elasticsearch index), the entire index will be inaccessible and not display in Kibana.

Configure security settings

edit

Set an encryption key so that sessions are not invalidated. You can optionally configure additional security settings and authentication.

  1. Set the xpack.security.encryptionKey property in the kibana.yml configuration file. You can use any text string that is 32 characters or longer as the encryption key. Refer to xpack.security.encryptionKey.

    xpack.security.encryptionKey: "something_at_least_32_characters"

    Kibana’s reporting and saved objects features also have encryption key settings. Refer to xpack.reporting.encryptionKey and xpack.encryptedSavedObjects.encryptionKey respectively.

  2. Optional: Configure Kibana’s session expiration settings.
  3. Optional: Configure Kibana to authenticate to Elasticsearch with a client certificate.
  4. Restart Kibana.

Create roles and users

edit

Configure roles for your Kibana users to control what data those users can access.

  1. Temporarily log in to Kibana using the built-in elastic superuser so you can create new users and assign roles. If you are running Kibana locally, go to https://127.0.0.1:5601 to view the login page.

    The password for the built-in elastic user is generated as part of the security configuration process on Elasticsearch. If you need to reset the password for the elastic user or other built-in users, run the elasticsearch-reset-password tool.

  2. Create roles and users to grant access to Kibana.

    To manage privileges in Kibana, go to the Roles management page using the navigation menu or the global search field. The built-in kibana_admin role will grant access to Kibana with administrator privileges. Alternatively, you can create additional roles that grant limited access to Kibana.

    If you’re using the default native realm with Basic Authentication, go to the Users management page using the navigation menu or the global search field to create users and assign roles, or use the Elasticsearch user management APIs. For example, the following creates a user named jacknich and assigns it the kibana_admin role:

    POST /_security/user/jacknich
    {
      "password" : "t0pS3cr3t",
      "roles" : [ "kibana_admin" ]
    }

    For more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication.

  3. Grant users access to the indices that they will be working with in Kibana.

    You can define as many different roles for your Kibana users as you need.

    For example, create roles that have read and view_index_metadata privileges on specific data views. For more information, see User authorization.

  4. Log out of Kibana and verify that you can log in as a normal user. If you are running Kibana locally, go to https://127.0.0.1:5601 and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the user jacknich.

    This must be a user who has been assigned Kibana privileges. Kibana server credentials (the built-in kibana_system user) should only be used internally by the Kibana server.