Version: 6.x-23
This is an older version of Search Guard. Switch to Latest version
Enterprise

Using Kibana with Kerberos

Kibana configuration

For full Kerberos support in Kibana you need the Search Guard Kibana plugin v14 or above.

Once you have set up Kerberos for Elasticsearch, configure it as authentication type in kibana.yml like:

searchguard.auth.type: "kerberos"

You can use all Search Guard features like multi tenancy and the configuration GUI with Kerberos.

Due to bugs and limitations in Kibana and X-Pack, not all X-Pack features will work however, please see below.

Elasticsearch configuration

If you’re using HTTP Basic Authentication and the internal user database for the Kibana server user, make sure that only the Kerberos authenticator has set challenge to true:

basic_internal_auth_domain: 
  enabled: true
  order: 0
  http_authenticator:
    type: basic
    challenge: false
  authentication_backend:
    type: intern
kerberos_auth_domain: 
  enabled: true
  order: 1
  http_authenticator:
    type: kerberos
    challenge: true
    config:
    ...

Browser configuration

Depending on the browser you are using, make sure you have configure the Kibana domain correctly for Kerberos authentication. Please refer to the documentation of your browser for further instructions.

Known Issues/Limitations

X-Pack Monitoring

Due to a bug regarding handling HTTP error codes 401 and 403 in X-Pack, it is currently not possible to use X-Pack Monitoring with Kerberos.

X-Pack Machine Learning

Due to the way HTTP requests are handled by the machine learning module internally, it is currently not possible to use X-Pack Machine Learning with Kerberos.

Kibana URL shortener

It’s currently not possible to use the Kibana URL shortener together with Kibana/SPNEGO due to technical limitations of the Kibana architecture.

Kibana Index Management UI

It’s currently not possible to use the Kibana Index Management UI together with Kibana/SPNEGO due to technical limitations of the Kibana architecture.

Disabling the replay cache

Kerberos/SPNEGO has a security mechanism called “Replay Cache”. The replay cache makes sure that an Kerberos/SPENGO token can be used only once in a certain timeframe. This conflicts with the Kibana request handling, where one browser request to Kibana can result in multiple requests to Elasticsearch.

These sub-requests will all carry the same Kerberos token and are thus interpreted as replay attack. You will see error messages like:

[com.floragunn.dlic.auth.http.kerberos.HTTPSpnegoAuthenticator] Service login not successful due to java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34)) 

At the moment, the only way to make Kerberos work with Kibana is to disable the replay cache. This is of course not optimal, but so far the only known way.

With Oracle JDK, you can set

-Dsun.security.krb5.rcache=none

in jvm.options of Elasticsearch.


Not what you were looking for? Try the search.