Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reverse Proxy - Windows Credentials #2419

Closed
kadaan opened this issue Dec 19, 2014 · 4 comments
Closed

Reverse Proxy - Windows Credentials #2419

kadaan opened this issue Dec 19, 2014 · 4 comments

Comments

@kadaan
Copy link

kadaan commented Dec 19, 2014

With the newly added service component that is proxying calls to elasticsearch how do we use Windows credentials (NTLM or Kerberos) rather than the basic auth that is currently supported?

@rashidkpc
Copy link
Contributor

You would need to setup a proxy of some kind. Kibana does not offer formal support for authentication

@kadaan
Copy link
Author

kadaan commented Dec 19, 2014

I don't think what you are saying would work. In Kibana3, the UI can be instructed to pass credentials to Elasticsearch. Therefore, Elasticsearch can be hidden behind a proxy which enforces authentication (NTLM or Kerberos). When Kibana3 calls the Elasticsearch proxy, the authentication is handled by the browser.

With the direction that Kibana4 has gone, there is a ruby application in the middle that proxies the Elasticsearch calls. If the ruby application doesn't handle authentication with the Elasticsearch proxy, then how can the call be made?

All in all this seems to prevent us from putting our Elasticsearch clusters behind a secure endpoint. Please correct me if I am wrong about any of this.

@jimmyjones2
Copy link
Contributor

I'm using Kibana 4 just fine behind a Apache reverse proxy doing Kerberos auth. I've then firewalled my ES cluster to only allow connections from the server running Kibana (or I could have put the Kibana server on one of my ES hosts, although for heavier usage that might not be a good idea). This is similar to eg. logstash ES ingest - logstash AFAIK doesn't support ES auth either, you secure it with firewalls etc.

@kadaan
Copy link
Author

kadaan commented Dec 22, 2014

While that will work, I wonder how Kibana4 will fit in with Shield.

On Dec 21, 2014, at 6:15 AM, jimmyjones2 notifications@github.com wrote:

I'm using Kibana 4 just fine behind a Apache reverse proxy doing Kerberos auth. I've then firewalled my ES cluster to only allow connections from the server running Kibana (or I could have put the Kibana server on one of my ES hosts, although for heavier usage that might not be a good idea). This is similar to eg. logstash ES ingest - logstash AFAIK doesn't support ES auth either, you secure it with firewalls etc.


Reply to this email directly or view it on GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants