readonlyrest-1.16.26_es6.4.0.zip
has a version string 1.16.26_es6.4.0
.1.16.26_es6.4.0
1.16.26
6.4.0
readonlyrest_kbn_pro-1.16.26-20180911_es6.0.0.zip
bin/kibana-plugin
utility.file://
+ absolute path (yes, with three slashes).server.basePath
property in kibana.yml
be sure to access RoR via a proxy, as it will not work properly when accessed directly.In this document, every time you will encounter references to "readonlyrest.yml" or "elasticsearch.yml", we will be referring to the configuration files in the Elasticsearch plugin (our Kibana plugins do not need a "readonlyrest.yml").
readonlyrest.settings_index: .my_custom_readonlyrest
in elasticsearch.yml
file (remember to set the same value for all your ES nodes).readonlyrest.yml
a file the user needs to create in the same directory where elasticsearch.yml
is found..readonlyrest
index. Our Kibana plugins' GUI (PRO/Enterprise) is programmed to write this index.readonlyrest.force_load_from_file: true
in elasticsearch.yaml
on one node es1
.readonlyrest.yml
, remove readonlyrest.force_load_from_file: true
from elasticsearch.yaml
and restart node.elasticsearch.yml
(on the Elasticsearch side) and kibana.yml
(on the Kibana side): This is how you disable X-pack modules:readonlyrest.yml
(the settings file of the Elasticsearch plugin), to support ReadonlyREST PRO.kibana_access: admin
kibana_hide_apps: ["readonlyrest_kbn"]
to hide the ReadonlyREST icon from who is not meant to use it (makes for a better UX).Blocks related to the authentication of the users should be at the top of the ACL
kibana.yml
."login", "tenancyHop", "never"
.kibana_hide_apps: [...]
rule (readonlyrest.yml)readonlyrest.yml
(see above, the ::KIBANA-SRV:: block).conf/kibana.yml
and add the following:elasticsearch.url
points to the designated Elasticsearch instance (check also the http or https)X-Forwarded-User
header.Today, it's possible to skip the regular ROR login form and use the "delegated authentication" technique in ROR for Kibana as well.
proxy_auth
rule) in ROR for ES documentation.conf/kibana.yml
and add readonlyrest_kbn.proxy_auth_passthrough: true
X-Forwarded-User
header containing the user's name. Based on this identity, ROR for Kibana will build an encrypted cookie and handle your session normally.conf/kibana.yml
and add readonlyrest_kbn.custom_logout_link: https://..../logout
conf/kibana.yml
and add readonlyrest_kbn.custom_login_link: "https://../login"
readonlyrest.yml
or the cluster wide settings UI in the Kibana plugin). See how.kibana.yml
by adding the line readonlyrest_kbn.jwt_query_param: "jwt"
as a string, in our case "jwt".Authorization
header in a request to Elasticsearch.readonlyrest_kbn.custom_logout_link
.nextUrl
query parameter for sharing deep links inside Kibana apps, or embedding visualizations and dashboards inside I-Frames.readonlyrest_audit-*
ReadonlyREST Audit Log
ror_kbn_auth
bridgereadonlyrest.yml
kibana.yml
and append:issuer
: issuer string to supply to identity provider during sign on request. Defaults to 'ror'disableRequestedAuthnContext
: if truthy, do not request a specific authentication context. This is known to help when authenticating against Active Directory (AD FS) servers.decryptionPvk
: Service Provider Private Key. Private key that will be used to attempt to decrypt any encrypted assertions that are received.http://my.public.hostname.com/ror_kbn_sso_saml_serv1/metadata.xml
usernameParameter
kibana YAML setting.groupsParameter
to the parameter name found in the assertion message to the kibana YAML setting.soon we will create a specific guide only for OpenID, like the ones we have for SAML
ror_kbn_auth
bridgereadonlyrest.yml
groupsParameter
( See below ), you can also restrict ACL to specific groups:userinfo
token in ACL rules by using {{jwt:assertion.<path_to_your_claim>}}
syntax. See the dedicated section for more information. ( TIP : Do not forget the assertion
prefix in front of you jsonpath. )kibana.yml
and append:http://localhost:5601/*
assuming kibana is listening on localhost and on the default port.usernameParameter
kibana YAML setting.groupsParameter
to the parameter name found in the assertion message to the kibana YAML setting. ( TIP: the groupsParameter
must be present in the userinfo
token of your OIDC provider.)server.host:server.port
defined in kibana.yml. ( This parameter can be used also when kibana is bound to 0.0.0.0, for example, if using docker.)/login
.kibana.yml
cookiePass
.conf/kibana.yml
and add:readonlyrest_kbn.cookiePass: "generatedStringIn1step"
(example: "12345678901234567890123456789012")readonlyrest_kbn.cookieName
(custom cookie name - this property is optional, if not specified default cookie name would be rorCookie
)readonlyrest_kbn.store_sessions_in_index: true
(enable session storage in index)readonlyrest_kbn.sessions_index_name: "someCustomIndexName"
(index name - this property is optional, if not specified default index would be .readonlyrest_kbn_sessions
)readonlyrest_kbn.sessions_refresh_after: 1000
(time in milliseconds, describes how often sessions should be fetched from ES and refreshed for each node - optional, by default 2 seconds)readonlyrest_kbn.sessions_probe_interval_seconds: 15
(default 10s) how often should the browser poll Kibana to check if their session is still valid. Raise this value if you connect to Kibana through slow networks (i.e. VPN), or have very slow loading dashboards.config/kibana.yml
and append the following:</head>
).config/kibana.yml
and append the following:config/kibana.yml
and append the following:config/kibana.yml
: