Frankenstein Ruby/Rack application to add access control to kibana3
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
config
html
kibana @ c19105c
lib
spec
.gitignore
.gitmodules
.travis.yml
Gemfile
Gemfile.lock
Guardfile
LICENSE
README.rdoc
config.ru

README.rdoc

Build Status Coverage Status

Kibana 3 authentication and authorization

Introduction

This rack application was built to serve a very particular purpose: add authentication to kibana3 and allow users to view only thier logs.

The actual access control that you do is entirely up to you. You provide a snippet of code that takes a username and password and returns an elasticsearch filter.

Tested on

  • Firefox – Some have reported that Safari will not work without the Thin webserver. I cannot confirm this.

  • Production tested on ruby-1.9.3-p385

  • Unit tests pass on: Build Status

Features

  • Serves static kibana pages from within the application

  • Private dashboards per user (with configurable namespaces)

  • HTML login form

Kibana3 Milestone 3 support

If you want to use milestone 3, see:

github.com/christian-marie/kibana3_auth/tree/v1.0.0

Upgrading

If you had a custom javascript config, this will destroy it. If you want to preserve that, I'm sure you can work out how.

$ cd kibana3_auth
$ git pull && git checkout v1.0.0milestone4
$ pushd kibana; git checkout -- . ; popd
$ git submodule update

Now you need to make sure that your new config has the port that you plan to run your webserver on, take note that the location of the config.js has moved.

$ sed -i s/9200/80/ kibana/src/config.js

Done!

New installation

I will assume that you can configure your own unicorns and web servers to host this correctly. This documentation will get you set up with a local server running under 'rackup'.

Step one - installation

We need to download this repo, kibana, and rack.

$ git clone https://github.com/christian-marie/kibana3_auth.git
$ cd kibana3_auth && git checkout v1.0.0milestone4
$ git submodule init && git submodule update
$ bundle install --without development

Step two - configuration

Pretty much everyone is going to have a different idea of how to authenticate a user and then filter logs. So you get to write code for this yourself. Don't panic, it's one function.

The configuration is a ruby file in config/config.rb

$ $EDITOR config/config.rb

We need to specify a few things as a ruby hash, these are all mandatory:

:session_secret

This must be set to a random, long, string. It is a secret!

:backend

The elasticsearch REST interface URI, maybe localhost:9200

:login

A #call able ruby object to receive a username and password and return a set of ElasticSearch filters.

Here is an example example config.rb:

# This method must return an ElasticSearch filter or false
def login(user, pass)
        # We want anyone with a name starting with p to see everything.
        # We use the 'UNFILTERED' keyword to explicitly state this. 
        return 'UNFILTERED' if user =~ /\Ap/

        # Anyone with a long name must only see logs tagged with thier name
        # or 'secret'
        if user.size > 10 then
                return({
                        'terms' => {
                                'tags' => [ user, 'secret' ]
                        }
                })
        end

        # Otherwise no soup for you
        false
end

{
        :session_secret => 'CHANGE ME',
        :backend        => 'http://localhost:9200',
        :login          => method(:login),
}

Step three - ???

Configure kibana to hit ElasticSearch on the port on which you plan to run the rack application. For example, should you wish to run on port 8000:

$ sed -i s/9200/8000/ kibana/src/config.js

Step four - profit!

$ bundle exec rackup -p 8000

Obviously in production you want to run this under nginx/unicorn or something. I currently have it running under nginx/unicorn with SSL.

Optional configurable dashboard namespaces

Dashboards are namespaced by default by a hash of the username password. You can override this with the :dashboard_namespace parameter. This works much like login, and receives the same username and password.

For example, to give everyone the same namespace and allow anyone access, config.rb might be:

{
	:session_secret => 'CHANGE ME',
	:backend => 'http://localhost:9200',
	:login => Proc.new{ 'UNFILTERED' },
	:dashboard_namespace => lambda {|user, pass|
		# ignore user and pass, everyone is a potato
		"POTATO!"
	}
}

License

MIT