Auto sign-in to an embedded Kibana dashboard iframe

Security
1

What I Want to Achieve

I pasted a Kibana dashboard’s iframe code in my webapp, which works fine. I’m trying to skip the sign-in screen.

What I Tried

Since I already have the user’s credentials in memory, I figured an AJAX call to /api/v1/auth/login before loading the embedded dashboard should set the appropriate cookie and skip the sign-in screen.

The issue is, Kibana will only accept the request if it has a kbn-version header. But if I add a kbn-version header to the AJAX request, the pre-flight OPTIONS request fails with:

“CORS error: Some headers are not allowed”

I have tried adding kbn-version to some Hapi configuration settings such as server.cors.additionalHeaders, server.cors.headers, server.cors.exposedHeaders, and server.cors.additionalExposedHeaders but none of them seem to work.

This is my custom-kibana.yml file:

$ cat custom-kibana.yml 
---
# Default Kibana configuration from kibana-docker.

server.name: kibana
server.host: "0"
server.cors : true
server.cors.origin: ['*']
server.cors.additionalHeaders: ['kbn-xsrf', 'kbn-version']
server.cors.headers: ["accept", "authorization", "content-type", "if-none-match", "origin", "kbn-xsrf", "kbn-version"]
server.cors.exposedHeaders: ["accept", "authorization", "content-type", "if-none-match", "origin", "kbn-xsrf", "kbn-version"]
server.cors.additionalExposedHeaders: ['kbn-xsrf', 'kbn-version']
# server.ssl.enabled: true
# server.ssl.key: kibana.pem
# server.ssl.certificate: kibana-key.pem
elasticsearch.url: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: <pw>
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

My Question

How do I skip the sign-in screen, either by solving the issue I encountered or in any other way.

2

Hello yigal!

Please did you achieve skiping the sign-in screen on embedded Kibana dashboard iframe?

3

Im also interested in this, does anyhone have a solution?

4

@yigal, @gferrette, @victor. Setting the CORS headers can be done on the server. Maybe some of these will work:

add_header ‘Access-Control-Allow-Origin’ “*” always;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS, DELETE, PUT, HEAD’;
add_header ‘Access-Control-Allow-Credentials’ ‘true’;
add_header ‘Access-Control-Allow-Headers’ 'DNT, If-Modified-Since, Cache-Control, Range, User-Agent,Keep-Alive,Content-Type, kbn-version, kbn-xsrf, Origin, X-Requested-With,Accept, Engaged-Auth-Token, Content-Length, Authorizati$ add_header ‘Access-Control-Expose-Headers’ ‘Content-Security-Policy, Location, Content-Length, Content-Range’;

This can also be done with Nginx and basic authentication. The username: password needs to be converted into base64 with a colon between them. Converting the name “username” and the password “password” on this website https://www.base64encode.org/ will return dXNlbmFtZTpwYXNzd29yZA==. Every time a user visits Kibana it will send the Authorization header with the credentials. The code is:

server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:5601;
proxy_set_header Authorization “Basic dXNlbmFtZTpwYXNzd29yZA==” ;
}