<img src=“https://travis-ci.org/christian-marie/kibana3_auth.png?branch=v1.0.0” alt=“Build Status” /> <img src=“https://coveralls.io/repos/christian-marie/kibana3_auth/badge.png?branch=v1.0.0” alt=“Coverage Status” />
This rack application was built to serve a very particular purpose: add authentication to kibana3 and allow users to view only thier logs.
The actual access control that you do is entirely up to you. You provide a snippet of code that takes a username and password and returns an elasticsearch filter.
-
Firefox – Some have reported that Safari will not work without the Thin webserver. I cannot confirm this.
-
Production tested on ruby-1.9.3-p385
-
Unit tests pass on: <img src=“https://travis-ci.org/christian-marie/kibana3_auth.png?branch=v1.0.0” alt=“Build Status” />
-
Serves static kibana pages from within the application
-
Private dashboards per user (with configurable namespaces)
-
HTML login form
If you want to use milestone 3, see:
github.com/christian-marie/kibana3_auth/tree/v1.0.0
If you had a custom javascript config, this will destroy it. If you want to preserve that, I’m sure you can work out how.
$ cd kibana3_auth $ git pull && git checkout v1.0.0milestone4 $ pushd kibana; git checkout -- . ; popd $ git submodule update
Now you need to make sure that your new config has the port that you plan to run your webserver on, take note that the location of the config.js has moved.
$ sed -i s/9200/80/ kibana/src/config.js
Done!
I will assume that you can configure your own unicorns and web servers to host this correctly. This documentation will get you set up with a local server running under ‘rackup’.
We need to download this repo, kibana, and rack.
$ git clone https://github.com/christian-marie/kibana3_auth.git $ cd kibana3_auth && git checkout v1.0.0milestone4 $ git submodule init && git submodule update $ bundle install --without development
Pretty much everyone is going to have a different idea of how to authenticate a user and then filter logs. So you get to write code for this yourself. Don’t panic, it’s one function.
The configuration is a ruby file in config/config.rb
$ $EDITOR config/config.rb
We need to specify a few things as a ruby hash, these are all mandatory:
- :session_secret
-
This must be set to a random, long, string. It is a secret!
- :backend
-
The elasticsearch REST interface URI, maybe localhost:9200
- :login
-
A #call able ruby object to receive a username and password and return a set of ElasticSearch filters.
Here is an example example config.rb:
# This method must return an ElasticSearch filter or false def login(user, pass) # We want anyone with a name starting with p to see everything. # We use the 'UNFILTERED' keyword to explicitly state this. return 'UNFILTERED' if user =~ /\Ap/ # Anyone with a long name must only see logs tagged with thier name # or 'secret' if user.size > 10 then return({ 'terms' => { 'tags' => [ user, 'secret' ] } }) end # Otherwise no soup for you false end { :session_secret => 'CHANGE ME', :backend => 'http://localhost:9200', :login => method(:login), }
Configure kibana to hit ElasticSearch on the port on which you plan to run the rack application. For example, should you wish to run on port 8000:
$ sed -i s/9200/8000/ kibana/src/config.js
$ bundle exec rackup -p 8000
Obviously in production you want to run this under nginx/unicorn or something. I currently have it running under nginx/unicorn with SSL.
Dashboards are namespaced by default by a hash of the username password. You can override this with the :dashboard_namespace parameter. This works much like login, and receives the same username and password.
For example, to give everyone the same namespace and allow anyone access, config.rb might be:
{ :session_secret => 'CHANGE ME', :backend => 'http://localhost:9200', :login => Proc.new{ 'UNFILTERED' }, :dashboard_namespace => lambda {|user, pass| # ignore user and pass, everyone is a potato "POTATO!" } }
MIT