- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 7.15
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Development tools settings
- Graph settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Machine learning settings
- Monitoring settings
- Reporting settings
- Secure settings
- Search sessions settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure monitoring
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Import and export dashboard APIs
- Logstash configuration management APIs
- Shorten URL
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Accessibility
- Release notes
- Developer guide
Configure security in Kibana
editConfigure security in Kibana
editKibana users have to log in when Elastic Stack security features are enabled on your cluster. You configure roles for your Kibana users to control what data those users can access.
Most requests made through Kibana to Elasticsearch are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the Kibana server needs to make to the Elasticsearch cluster. For this reason, you must configure credentials for the Kibana server to use for those requests.
With security features enabled, if you load a Kibana dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. The security features do not currently provide a way to control which users can load which dashboards.
To use Kibana with security features:
- Configure security in Elasticsearch.
-
Configure Kibana to use the appropriate built-in user.
Update the following settings in the
kibana.yml
configuration file:elasticsearch.username: "kibana_system" elasticsearch.password: "kibanapassword"
The Kibana server submits requests as this user to access the cluster monitoring APIs and the
.kibana
index. The server does not need access to user indices.The password for the built-in
kibana_system
user is typically set as part of the security configuration process on Elasticsearch. For more information, see Built-in users. -
Set the
xpack.security.encryptionKey
property in thekibana.yml
configuration file. You can use any text string that is 32 characters or longer as the encryption key.xpack.security.encryptionKey: "something_at_least_32_characters"
For more information, see Security settings in Kibana.
-
Configure Kibana’s session expiration settings. Set both the idle timeout and lifespan settings:
xpack.security.session.idleTimeout: "1h" xpack.security.session.lifespan: "30d"
For more information, see Session management in Kibana.
- Optional: Configure Kibana to encrypt communications.
- Optional: Configure Kibana to authenticate to Elasticsearch with a client certificate.
- Restart Kibana.
-
Temporarily log in to Kibana using the built-in
elastic
superuser so you can create new users and assign roles. If you are running Kibana locally, go tohttps://localhost:5601
to view the login page.The password for the built-in
elastic
user is typically set as part of the security configuration process on Elasticsearch. For more information, see Built-in users. -
Create roles and users to grant access to Kibana.
To manage privileges in Kibana, open the main menu, then click Stack Management > Roles. The built-in
kibana_admin
role will grant access to Kibana with administrator privileges. Alternatively, you can create additional roles that grant limited access to Kibana.If you’re using the default native realm with Basic Authentication, open the main menu, then click Stack Management > Users to create users and assign roles, or use the Elasticsearch user management APIs. For example, the following creates a user named
jacknich
and assigns it thekibana_admin
role:POST /_security/user/jacknich { "password" : "t0pS3cr3t", "roles" : [ "kibana_admin" ] }
For more information on Basic Authentication and additional methods of authenticating Kibana users, see Authentication.
-
Grant users access to the indices that they will be working with in Kibana.
You can define as many different roles for your Kibana users as you need.
For example, create roles that have
read
andview_index_metadata
privileges on specific index patterns. For more information, see User authorization. -
Log out of Kibana and verify that you can log in as a normal user. If you are running Kibana locally, go to
https://localhost:5601
and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the userjacknich
.This must be a user who has been assigned Kibana privileges. Kibana server credentials (the built-in
kibana_system
user) should only be used internally by the Kibana server.