[Docs] Document Anonymous authentication provider. #84910
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
azasypkin
commented
Dec 3, 2020
|
|
||
| [source,yaml] | ||
| ---------------------------------------- | ||
| # Username and password credentials |
There was a problem hiding this comment.
note: not super happy about having technically invalid yaml snippet (because of duplicated entries), but couldn't think of a better option.
There was a problem hiding this comment.
I think this is reasonable. We could split this out into 4 different snippets if necessary, but I think what you have here is fine.
legrego
reviewed
Dec 4, 2020
|
|
||
| [IMPORTANT] | ||
| ============================================================================ | ||
| Since anonymous access allows anyone to access {kib} as long as they can access network {kib} is exposed to, make sure to grant anonymous service account only as many privileges as really needed. |
There was a problem hiding this comment.
Suggested change
| Since anonymous access allows anyone to access {kib} as long as they can access network {kib} is exposed to, make sure to grant anonymous service account only as many privileges as really needed. | |
| Anyone with access to the network {kib} is exposed to will be able to access {kib}. Make sure that you've properly restricted the capabilities of the anonymous service account so that anonymous users can't perform destructive actions or escalate their own privileges. |
| Since anonymous access allows anyone to access {kib} as long as they can access network {kib} is exposed to, make sure to grant anonymous service account only as many privileges as really needed. | ||
| ============================================================================ | ||
|
|
||
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed {kib} dashboard in another application or set up a demo {kib} instance in your internal network while still keeping other {kib} security features intact. |
There was a problem hiding this comment.
Suggested change
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed {kib} dashboard in another application or set up a demo {kib} instance in your internal network while still keeping other {kib} security features intact. | |
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed dashboards in another application or set up a demo {kib} instance in your internal network while still keeping other security features intact. |
|
|
||
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed {kib} dashboard in another application or set up a demo {kib} instance in your internal network while still keeping other {kib} security features intact. | ||
|
|
||
| To enable anonymous authentication in {kib}, you need to decide what credentials or so-called anonymous service account {kib} should use internally to authenticate anonymous requests to {es}. You can pick one of the three different approaches here: |
There was a problem hiding this comment.
Suggested change
| To enable anonymous authentication in {kib}, you need to decide what credentials or so-called anonymous service account {kib} should use internally to authenticate anonymous requests to {es}. You can pick one of the three different approaches here: | |
| To enable anonymous authentication in {kib}, you need to decide what credentials the anonymous service account {kib} should use internally to authenticate anonymous requests. There are three ways to specify these credentials: |
| [float] | ||
| ===== Anonymous access and other types of authentication | ||
|
|
||
| You can also configure any other authentication mechanisms in addition to the anonymous access in {kib}. In this case Login Selector UI will present a dedicated `Continue as Guest` option for the anonymous access: |
There was a problem hiding this comment.
Suggested change
| You can also configure any other authentication mechanisms in addition to the anonymous access in {kib}. In this case Login Selector UI will present a dedicated `Continue as Guest` option for the anonymous access: | |
| You can configure other authentication providers in addition to anonymous access in {kib}. In this case Login Selector UI will present a dedicated `Continue as Guest` option for anonymous access: |
| credentials: "elasticsearch_anonymous_user" <1> | ||
| ----------------------------------------------- | ||
|
|
||
| <1> The `elasticsearch_anonymous_user` is just a special constant that doesn't have any other meaning |
There was a problem hiding this comment.
Suggested change
| <1> The `elasticsearch_anonymous_user` is just a special constant that doesn't have any other meaning | |
| <1> The `elasticsearch_anonymous_user` is a special constant that indicates you wish to use Elasticsearch's anonymous user. |
| [float] | ||
| ===== Anonymous access and embedding | ||
|
|
||
| One of the most popular use cases for the anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as a sole authentication mechanism, you don't need to do anything special while embedding {kib}. |
There was a problem hiding this comment.
Suggested change
| One of the most popular use cases for the anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as a sole authentication mechanism, you don't need to do anything special while embedding {kib}. | |
| One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. |
|
|
||
| One of the most popular use cases for the anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as a sole authentication mechanism, you don't need to do anything special while embedding {kib}. | ||
|
|
||
| The things become a bit tricky if you configure multiple authentication mechanisms and use Login Selector UI to log in to {kib}. In this case embedded {kib} doesn't know whether you want your users to use anonymous access or not. If the intention is to use anonymous access then you should add `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL. |
There was a problem hiding this comment.
I don't think we need to qualify the Login Selector UI here. We are trying to discourage disabling this, so I think it's safe for us to assume in these docs that it'll be enabled.
Suggested change
| The things become a bit tricky if you configure multiple authentication mechanisms and use Login Selector UI to log in to {kib}. In this case embedded {kib} doesn't know whether you want your users to use anonymous access or not. If the intention is to use anonymous access then you should add `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL. | |
| If you have multiple authentication providers enabled, and you wish to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. |
There was a problem hiding this comment.
I don't think we need to qualify the Login Selector UI here. We are trying to discourage disabling this, so I think it's safe for us to assume in these docs that it'll be enabled.
Wholeheartedly agree!
|
|
||
| [source,yaml] | ||
| ---------------------------------------- | ||
| # Username and password credentials |
There was a problem hiding this comment.
I think this is reasonable. We could split this out into 4 different snippets if necessary, but I think what you have here is fine.
|
Pinging @elastic/kibana-docs (Team:Docs) |
gchaps
reviewed
Dec 4, 2020
| |=== | ||
| | `xpack.security.authc.providers.` | ||
| `anonymous.<provider-name>.credentials` {ess-icon} | ||
| | Credentials that {kib} should use internally to authenticate anonymous requests to {es}. Possible values are: username and password credentials, API key or `elasticsearch_anonymous_user` constant if you want to leverage {ref}/anonymous-access.html[{es} anonymous access]. |
There was a problem hiding this comment.
Suggested change
| | Credentials that {kib} should use internally to authenticate anonymous requests to {es}. Possible values are: username and password credentials, API key or `elasticsearch_anonymous_user` constant if you want to leverage {ref}/anonymous-access.html[{es} anonymous access]. | |
| | Credentials that {kib} should use internally to authenticate anonymous requests to {es}. Possible values are: username and password, API key, or the constant `elasticsearch_anonymous_user` if you want to leverage {ref}/anonymous-access.html[{es} anonymous access]. |
| Anyone with access to the network {kib} is exposed to will be able to access {kib}. Make sure that you've properly restricted the capabilities of the anonymous service account so that anonymous users can't perform destructive actions or escalate their own privileges. | ||
| ============================================================================ | ||
|
|
||
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed dashboards in another application or set up a demo {kib} instance in your internal network while still keeping other security features intact. |
There was a problem hiding this comment.
Suggested change
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed dashboards in another application or set up a demo {kib} instance in your internal network while still keeping other security features intact. | |
| Anonymous authentication gives users access to {kib} without requiring them to provide credentials. This can be useful if you want your users to skip the login step when you embed dashboards in another application or set up a demo {kib} instance in your internal network, while still keeping other security features intact. |
|
|
||
| Anonymous authentication gives users access to {kib} without requiring them to provide any sort of credentials. This can be useful if you want your users to skip the login step when you embed dashboards in another application or set up a demo {kib} instance in your internal network while still keeping other security features intact. | ||
|
|
||
| To enable anonymous authentication in {kib}, you need to decide what credentials the anonymous service account {kib} should use internally to authenticate anonymous requests. There are three ways to specify these credentials: |
There was a problem hiding this comment.
Suggested change
| To enable anonymous authentication in {kib}, you need to decide what credentials the anonymous service account {kib} should use internally to authenticate anonymous requests. There are three ways to specify these credentials: | |
| To enable anonymous authentication in {kib}, you must decide what credentials the anonymous service account {kib} should use internally to authenticate anonymous requests. There are three ways to specify these credentials: |
|
|
||
| To enable anonymous authentication in {kib}, you need to decide what credentials the anonymous service account {kib} should use internally to authenticate anonymous requests. There are three ways to specify these credentials: | ||
|
|
||
| NOTE: You can configure only one anonymous authentication provider per {kib} instance. |
There was a problem hiding this comment.
Suggest moving the sentence "There are three ways to specify these credentials" to after the Note.
|
|
||
| NOTE: You can configure only one anonymous authentication provider per {kib} instance. | ||
|
|
||
| If you have a user that can authenticate to {es} using username and password, from a Native or LDAP security realms for instance, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` can look like if you want to use username and password credentials: |
There was a problem hiding this comment.
Suggested change
| If you have a user that can authenticate to {es} using username and password, from a Native or LDAP security realms for instance, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` can look like if you want to use username and password credentials: | |
| If you have a user who can authenticate to {es} using username and password, for instance from a Native or LDAP security realms, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` might look if you use username and password credentials: |
| [float] | ||
| ===== Anonymous access and embedding | ||
|
|
||
| One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. |
There was a problem hiding this comment.
Suggested change
| One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. | |
| One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. |
|
|
||
| One of the most popular use cases for anonymous access is when you embed {kib} into other applications and don't want to force your users to log in just to view it. If you configured {kib} to use anonymous access as the sole authentication mechanism, you don't need to do anything special while embedding {kib}. | ||
|
|
||
| If you have multiple authentication providers enabled, and you wish to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. |
There was a problem hiding this comment.
Suggested change
| If you have multiple authentication providers enabled, and you wish to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. | |
| If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. |
|
|
||
| If you have multiple authentication providers enabled, and you wish to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. | ||
|
|
||
| For example, if you generate the iFrame code to embed {kib} it will look like this: |
There was a problem hiding this comment.
Suggested change
| For example, if you generate the iFrame code to embed {kib} it will look like this: | |
| For example, if you generate the iFrame code to embed {kib}, it will look like this: |
| <iframe src="https://localhost:5601/app/dashboards#/view/722b74f0-b882-11e8-a6d9-e546fe2bba5f?embed=true&_g=(....)" height="600" width="800"></iframe> | ||
| ``` | ||
|
|
||
| To make this iFrame leverage anonymous access automatically, you will need to modify a link to {kib} in `src` iFrame attribute to look like this: |
There was a problem hiding this comment.
Suggested change
| To make this iFrame leverage anonymous access automatically, you will need to modify a link to {kib} in `src` iFrame attribute to look like this: | |
| To make this iFrame leverage anonymous access automatically, you will need to modify a link to {kib} in the `src` iFrame attribute to look like this: |
| <iframe src="https://localhost:5601/app/dashboards?auth_provider_hint=anonymous1#/view/722b74f0-b882-11e8-a6d9-e546fe2bba5f?embed=true&_g=(....)" height="600" width="800"></iframe> | ||
| ``` | ||
|
|
||
| Note that `auth_provider_hint` query string parameter goes _before_ the hash URL fragment. |
There was a problem hiding this comment.
Suggested change
| Note that `auth_provider_hint` query string parameter goes _before_ the hash URL fragment. | |
| Note that `auth_provider_hint` query string parameter goes *before* the hash URL fragment. |
legrego
approved these changes
Dec 8, 2020
|
|
||
| There are three ways to specify these credentials: | ||
|
|
||
| If you have a user who can authenticate to {es} using username and password, for instance from a Native or LDAP security realms, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` might look if you use username and password credentials: |
There was a problem hiding this comment.
Suggested change
| If you have a user who can authenticate to {es} using username and password, for instance from a Native or LDAP security realms, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` might look if you use username and password credentials: | |
| If you have a user who can authenticate to {es} using username and password, for instance from the Native or LDAP security realms, you can also use these credentials to impersonate the anonymous users. Here is how your `kibana.yml` might look if you use username and password credentials: |
|
|
||
| It's also possible to use {kib} anonymous access in conjunction with the {es} anonymous access. | ||
|
|
||
| Prior to configuring {kib}, ensure that the anonymous access is enabled and properly configured in {es}. See {ref}/anonymous-access.html[Enabling anonymous access] for more information. |
There was a problem hiding this comment.
Suggested change
| Prior to configuring {kib}, ensure that the anonymous access is enabled and properly configured in {es}. See {ref}/anonymous-access.html[Enabling anonymous access] for more information. | |
| Prior to configuring {kib}, ensure that anonymous access is enabled and properly configured in {es}. See {ref}/anonymous-access.html[Enabling anonymous access] for more information. |
| [float] | ||
| ===== Anonymous access and other types of authentication | ||
|
|
||
| You can configure more authentication providers in addition to anonymous access in {kib}. In this case, the Login Selector presents a dedicated *Continue as Guest* option for anonymous access: |
There was a problem hiding this comment.
This hints that they can customize the text if they'd like to 😄
Suggested change
| You can configure more authentication providers in addition to anonymous access in {kib}. In this case, the Login Selector presents a dedicated *Continue as Guest* option for anonymous access: | |
| You can configure more authentication providers in addition to anonymous access in {kib}. In this case, the Login Selector presents a configurable *Continue as Guest* option for anonymous access: |
|
|
||
| If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding, then you will need to add the `auth_provider_hint=<anonymous-provider-name>` query string parameter to the {kib} URL that you're embedding. | ||
|
|
||
| For example, if you generate the iFrame code to embed {kib}, it will look like this: |
There was a problem hiding this comment.
I blame Apple!
Suggested change
| For example, if you generate the iFrame code to embed {kib}, it will look like this: | |
| For example, if you generate the iframe code to embed {kib}, it will look like this: |
There was a problem hiding this comment.
Oh no, so embarrassing! 🙈
| <iframe src="https://localhost:5601/app/dashboards#/view/722b74f0-b882-11e8-a6d9-e546fe2bba5f?embed=true&_g=(....)" height="600" width="800"></iframe> | ||
| ``` | ||
|
|
||
| To make this iFrame leverage anonymous access automatically, you will need to modify a link to {kib} in the `src` iFrame attribute to look like this: |
There was a problem hiding this comment.
Suggested change
| To make this iFrame leverage anonymous access automatically, you will need to modify a link to {kib} in the `src` iFrame attribute to look like this: | |
| To make this iframe leverage anonymous access automatically, you will need to modify a link to {kib} in the `src` iframe attribute to look like this: |
azasypkin
added a commit
to azasypkin/kibana
that referenced
this pull request
Dec 8, 2020
|
7.x/7.11.0: 393d1e4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Document Anonymous authentication provider introduced in #79985 and #84074.
Preview