Version: 6.x-22

HTTP Basic Authentication

HTTP Basic is the most common used authentication type and probably the one you are most familiar with. If a user tries to access Kibana:

  • Search Guard checks whether the user has an active session with valid username/password credentials
  • if so, the credentials are added to any HTTP call from Kibana to Elasticsearch/Search Guard
    • Search Guard will use these credentials for authentication and authorization and for assigning roles and permissions
    • Depending on the configured authentication backend, the credentials are checked against the internal user database, LDAP or Active Directory
  • If the user does not have any active session, a customizable login page is display and the user has to log in.

To activate Basic Authentication and the login page, add the following entry to kibana.yml:

For v13 and below:

searchguard.basicauth.enabled: true

For v14 and above:

searchguard.auth.type: "basic"

Use the following settings in kibana.yml to configure HTTP Basic authentication:

Session management

The user session is stored in an encrypted cookie. Use the following to configuration options to control the session behavior:

Name Description boolean, if set to true cookies are only stored when using HTTPS. Default: false. String, name of the cookie. Default: ‘searchguard_authentication’
searchguard.cookie.password String, key used to encrypt the cookie. Must be at least 32 characters long. Default: ‘searchguard_cookie_default_password’
searchguard.cookie.ttl Integer, lifetime of the cookie in milliseconds. Can be set to 0 for session cookie. Default: 1 hour
searchguard.session.ttl Integer, lifetime of the session in milliseconds. If set, the user is prompted to log in again after the configured time, regardless of the cookie. Default: 1 hour
searchguard.session.keepalive boolean, if set to true the session lifetime is extended by searchguard.session.ttl upon each request. Default: true

Preventing users from logging in

You can prevent users from logging in to Kibana by listing them in kibana.yml. This is useful if you don’t want system users like the Kibana server user or the logstash user to log in. In kibana.yml, set:

searchguard.basicauth.forbidden_usernames: ["kibanaserver", "logstash"]

Configuration example


# v13 and below: Enable HTTP Basic Authentication
searchguard.basicauth.enabled: true

# v14 and above: Enable HTTP Basic Authentication
searchguard.auth.type: "basic"

# Configure session management
searchguard.cookie.password: <encryption key, min. 32 characters>

# Use HTTPS instead of HTTP
elasticsearch.url: "https://<hostname>.com:<http port>"

# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none

# Whitelist basic headers and multi tenancy header
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]