---
title: Kibana設置安全性
tags: Kibana
---
# Kibana設置安全性
## Configuring security in Kibana
Kibana users have to log in when X-Pack security is enabled on your cluster. You configure X-Pack security roles for your Kibana users to control what data those users can access.
Most requests made through Kibana to Elasticsearch are authenticated by using the credentials of the logged-in user. There are, however, a few internal requests that the Kibana server needs to make to the Elasticsearch cluster. For this reason, you must configure credentials for the Kibana server to use for those requests.
With X-Pack security enabled, if you load a Kibana dashboard that accesses data in an index that you are not authorized to view, you get an error that indicates the index does not exist. X-Pack security do not currently provide a way to control which users can load which dashboards.
如果你的權限本身就不能看某個index,有了security後,就算透過kibana也不能讀取該index
### To use Kibana with X-Pack security:
1. [Configure security in Elasticsearch.](https://www.elastic.co/guide/en/elasticsearch/reference/7.6/configuring-security.html)
2. Configure Kibana to use the appropriate built-in user.
Update the following settings in the kibana.yml configuration file:
```python=
elasticsearch.username: "kibana"
elasticsearch.password: "kibanapassword"
```
<font color=Red>設定kibana的帳密是作為 Kibana server 要access the cluster monitoring APIs和 .kibana index</font>,kibana server不需要access user indices.
The password for the built-in kibana user is typically set as part of the X-Pack security configuration process on Elasticsearch. For more information, see Built-in users.
3. Set the `xpack.security.encryptionKey` property in the `kibana.yml` configuration file. You can use any text string that is 32 characters or longer as the encryption key.
```python=
xpack.security.encryptionKey: "something_at_least_32_characters"
```
For more information, see Security Settings in Kibana.
#### 可設置timeout to expire設定,否則這個session就會一直active直到瀏覽器被關閉
4. Optional: Set a timeout to expire idle sessions. By default, a session stays active until the browser is closed. To define a sliding session expiration, set the xpack.security.session.idleTimeout property in the kibana.yml configuration file. The idle timeout is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y] `(e.g. 70ms, 5s, 3d, 1Y). For example, set the idle timeout to expire idle sessions after 10 minutes:
```python=
xpack.security.session.idleTimeout: "10m"
```
#### session可以繼續活著!
5. Optional: Change the maximum session duration or "lifespan" — also known as the "absolute timeout". By default, a session stays active until the browser is closed. If an idle timeout is defined, a session can still be extended indefinitely. To define a maximum session lifespan, set the xpack.security.session.lifespan property in the kibana.yml configuration file. The lifespan is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. 70ms, 5s, 3d, 1Y). For example, set the lifespan to expire sessions after 8 hours:
```python=
xpack.security.session.lifespan: "8h"
```
6. Optional: [Configure Kibana to encrypt communications.](https://www.elastic.co/guide/en/kibana/current/configuring-tls.html) // [筆記](/-H4AmxRZQlOjZqmQpeaB6w)
7. Optional: [Configure Kibana to authenticate to Elasticsearch with a client certificate.](https://www.elastic.co/guide/en/kibana/current/elasticsearch-mutual-tls.html) //[筆記](/HpR5OuMvR9KDOOUdtO31vw)
8. Restart Kibana.
9. Choose an authentication mechanism and grant users the privileges they need to use Kibana.
For more information on Basic Authentication and additional methods of authenticating Kibana users, see [Authentication](https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html).
<font color=blue>You can manage privileges on the Management / Security / Roles page in Kibana.</font>
### 透過curl的方式設定security priviledge
If you’re using the native realm with Basic Authentication, you can assign roles using the Management / Security / Users page in Kibana or the user management APIs. For example, the following creates a user named jacknich and assigns it the kibana_admin role:
```python=
POST /_security/user/jacknich
{
"password" : "t0pS3cr3t",
"roles" : [ "kibana_admin" ]
}
```
For example, create roles that have read and view_index_metadata privileges on specific index patterns. For more information, see [User authorization](https://www.elastic.co/guide/en/elasticsearch/reference/7.6/security-api.html#security-user-apis).
Verify that you can log in as a user. If you are running Kibana locally, go to `https://localhost:5601` and enter the credentials for a user you’ve assigned a Kibana user role. For example, you could log in as the user jacknich.
This must be a user who has been assigned Kibana privileges. Kibana server credentials should only be used internally by the Kibana server.
參考資料:https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html
Sign in with Wallet
Connect another wallet