Kibana Anonymous Authentication
Search Guard supports anonymous authentication to enable access to specific indices for unauthenticated users.
In order to use anonymous authentication in Kibana, you first must configure the Elasticsearch backend to allow anonymous authentication. A minimal
sg_authc.yml configuration for this looks like this:
auth_domains: - type: basic/internal_users_db - type: anonymous user_mapping.user_name.static: anonymous user_mapping.roles.static: SGS_KIBANA_USER
See the documentation for more details on the backend configuration.
SGS_KIBANA_USER is needed because a certain set of permissions is necessary to access Kibana. If anonymous users shall not be able to access the default tenant, you should use the role
Note: Do not forget that the anonymous user also needs to have privileges for the indices they are supposed to access. For this, you need to map the user to more roles. See the backend documentation for details on this.
Note: If you want to allow anonymous authentication only for Kibana, you can restrict the
anonymous auth domain to the IPs that Kibana uses to connect to the backend. This can look like this:
auth_domains: - type: basic/internal_users_db - type: anonymous accept.ips: "10.12.123.0/24" user_mapping.user_name.static: anonymous user_mapping.roles.static: SGS_KIBANA_USER
Finally, you need to tell the Kibana plugin to allow anonymous authentication. You do this by adding the following setting to
- If the request is not already authenticated and there is no user active user session, Kibana will forward all requests to Elasticsearch without further checks
- Search Guard will evaluate the roles for the anonymous user and the associated permissions
- Kibana will load and the user has access to all indices configured for the anonymous role
- In anonymous mode, Kibana will display a
loginbutton instead of the
loginbutton will display the Search Guard login page where the user can use credentials to log in and enter authenticated mode.
- In authenticated mode, Kibana will display a
logoutbutton which ends the user session and enters anonymous mode again.