android 西班牙
Learn how to securely share your read-only dashboards
了解如何安全共享只读仪表板
Perhaps most of the new ELK users do not know that Kibana did not have a login page unless you pay for it. But since May of 2019 security for elasticsearch is free and is included in each new version.
也许大多数新的ELK用户都不知道Kibana没有登录页面,除非您为此付费。 但是自2019年5月以来,elasticsearch的安全性是免费的 ,并且包含在每个新版本中。
if we like to share a dashboard publicly we need to add a new user to our Kibana dashboard. Right now does not exist the possibility of sharing dashboard without login using Kibana
如果我们想公开共享仪表板,则需要向Kibana仪表板添加一个新用户。 目前不存在使用Kibana无需登录即可共享仪表板的可能性
In my opinion that was a very good decision because a lot of people was deploying Kibana without any kind of authentication. Even now, it is easy to find open Kibana dashboard using shodan or binary edge.
我认为这是一个非常好的决定,因为许多人在部署Kibana时没有进行任何身份验证。 即使是现在,也可以很容易地使用shodan或binary edge找到打开的Kibana仪表板。
Old Kibana version publicly open on the internet | Image by author 旧版Kibana版本在互联网上公开开放| 图片作者If you have security enabled in Kibana, and you must have it, every time anyone someone wants to access it is necessary to authenticate. Having security is fine and necessary but if we like to share a dashboard publicly we need to add a new user to our Kibana dashboard. Right now does not exist the possibility of sharing dashboard without login using Kibana, like a google sharing link. Now imagine that you will like to share your dashboard with all the internet as I did with my Covid-19 map. It, not the most usable way have a public guest user, and then force each visit to log in.
如果您在Kibana中启用了安全性,并且必须要启用它,那么每次有人要访问它时都必须进行身份验证。 确保安全是必要的,但如果我们要公开共享仪表板,则需要向Kibana仪表板添加新用户。 现在不存在不使用Kibana登录就共享仪表板的可能性,例如google共享链接。 现在想象一下,您就像我使用Covid-19地图一样,希望与所有互联网共享仪表板。 这不是公开访客用户的最常用方法,然后强制每次访问都登录。
Kibana guest user permissions | Image by the author Kibana来宾用户权限| 图片由作者提供I did not consider asking each new visitor to my website to login as a possible solution and after googling the issue I find a possible solution using Nginx. If we put a reverse proxy in front of our Kibana app it is possible to provide the Basic Auth headers, necessary to log in.
我没有考虑让每个新访客登录我的网站作为一种可能的解决方案,并且在搜索了问题之后,我发现使用Nginx的一种可能的解决方案。 如果我们在Kibana应用程序的前面放置一个反向代理,则可以提供登录所需的基本身份验证标头。
Of course, we will need to create a guest user inside Kibana but remember to give only the roles of kibana_dashboard_only_user and read_only. Obviously this user needs to be very limited for security reasons, anyone can use and we would not lose control of our ELK cluster.
当然,我们将需要在Kibana内创建一个来宾用户,但请记住仅赋予kibana_dashboard_only_user和read_only角色。 显然,出于安全原因,此用户需要非常有限,任何人都可以使用,并且我们不会失去对ELK集群的控制权。
In order to have better connectivity and speed, I recommend selecting the same region for your VPS and ELK cluster. If you have your cluster in AWS EU West do something similar with your VPS.
为了获得更好的连接性和速度,我建议为VPS和ELK群集选择相同的区域。 如果您的集群在AWS EU West中,请执行与VPS类似的操作。
After having our guest user created we can start configuring our reverse proxy. For hosting my Nginx proxy server I chose a Digital Ocean VPS droplet. In order to have better connectivity and speed, I recommend selecting the same region for your VPS and ELK cluster. If you have your cluster in AWS EU West do something similar with your VPS.
创建来宾用户后,我们可以开始配置反向代理。 为了托管Nginx代理服务器,我选择了Digital Ocean VPS Droplet。 为了获得更好的连接性和速度,我建议为VPS和ELK群集选择相同的区域。 如果您的集群在AWS EU West中,请执行与VPS类似的操作。
Once you have your VPS running it will be necessary to install Nginx and add a new domain. You will need to create a config file for your Kibana app inside /etc/nginx/sites-available/. I uploaded a sample config file to Github Gist in order that you can easily use it in your deploys.
一旦运行了VPS,就必须安装Nginx并添加一个新域。 您将需要在/ etc / nginx / sites-available /中为Kibana应用程序创建一个配置文件。 我将示例配置文件上传到Github Gist ,以便您可以轻松地在部署中使用它。
wget https://gist.githubusercontent.com/CarlosLannister/a4f9d67ab444ac26c1b0444dee76abec/raw/053efcdd26534c2742ff7eeef0a2ac83a610a170/kibana-guest-nginxwe will need to specify the user and password of our guest user using base-64 encoding. The format needs to be user:password, in my case guest:guest1234.
我们将需要使用base-64编码指定来宾用户的用户名和密码。 格式必须为user:password,在我的情况下为guest:guest1234。
Obviously you will need to fill this config file with your data. It is necessary to specify your server domain if you have one, and your Kibana IP address and port. The “trickiest” part to config is the proxy_set_header Authorization. In this section of the config file, we will need to specify the user and password of our Kibana guest user using base-64 encoding. The format needs to be user:password, in my case guest:guest1234.
显然,您将需要用数据填充此配置文件。 如果有,则必须指定服务器域,以及Kibana IP地址和端口。 要配置的“最复杂”部分是proxy_set_header授权。 在配置文件的这一部分,我们将需要使用base-64编码指定Kibana来宾用户的用户和密码。 格式必须为user:password,在我的情况下为guest:guest1234。
echo -n 'guest:guest1234' | base64Like any normal Nginx deployment, you can also add SSL certificates. I recommend the use of Let’s Encrypt. Being honest, I do not understand production deployments without SSL being Let’s Encrypt a free service.
与任何正常的Nginx部署一样,您也可以添加SSL证书。 我建议使用“ 让我们加密” 。 老实说,没有让SSL加密免费服务,我就无法理解生产部署。
After having our file we just need to link the file to sites-enabled and make sure that our Nginx is running.
获得文件后,我们只需要将文件链接到启用了站点的文件,并确保我们的Nginx正在运行。
sudo ln -s /etc/nginx/sites-available/kibana-guest-nginx /etc/nginx/sites-enabled/If everything is up now and you access through the domain configured in Nginx, you should be able to visit Kibana without login in.
如果现在一切正常,并且您可以通过Nginx中配置的域进行访问,则无需登录即可访问Kibana。
Kibana dashboard accessed without login with Guest user | Image by the author 访问Kibana仪表板而无需使用来宾用户登录| 图片由作者提供In order to share one dashboard and avoid new users to navigate to it, we can share a direct link to it. And that’s all folks, hope you like it ;)
为了共享一个仪表板并避免新用户浏览它,我们可以共享一个直接链接 。 这就是所有人,希望您喜欢它;)
翻译自: https://medium.com/@carloslannister/sharing-kibana-guest-dashboards-without-login-fceb6b8df97d
android 西班牙
