Anonymous access

[elasticmachine]

Original comment by @jguay:

Kibana version:
6.0.0
Elasticsearch version:
6.0.0
Description of the problem including expected versus actual behavior:
Customer would like to use kibana with anonymous user but using new "kibana_dashboard_only_user" role's restricted UI
Steps to reproduce:

1. Define anonymous_user in elasticsearch with role kibana_dashboard_only_user
2. Kibana displays a login page so it's not possible to use the anonymous user
3. xpack.security.enable: false in kibana.yml will partially workaround if user also has cluster/monitor privilege. However user will have unrestricted UI (hence be able to create any dangerous vizualisation and get errors when trying to save them to .kibana)

Describe the feature:
Feature would be to have new setting for kibana like "xpack.security.anonymous.enable" which when set to true would remove the login page and go straight in using anonymous user against ES
After this user gets logged in, the logout button should be removed. Or even better allow option to replaced by "login" button if another option xpack.security.anonymous.redirecturl is set (so that user is redirected to another kibana instance using standard security)

[elasticmachine]

Original comment by @kobelb:

@azasypkin created a proof of concept for this, but it ended up being more complicated than he anticipated. The need to hide additional UI elements in this scenario, for example because the user is unable to log-out, and the interaction with the other authorization providers became problematic and need to be addressed when we look into implementing this again.

[georgezoto]

I think this is a much needed feature 👍 !

A workaround that thanks to @thomasneirynck and @tsullivan I was able to put in place, will not work for all cases: https://discuss.elastic.co/t/auto-authenticating-to-iframe-embedded-kibana-dashboard/46091

In my case, our organization's visualizations would be part of a public site, conveying information freely. I cannot expect users to enter credentials 5 times for 5 sample visualizations or even once, for a single dashboard. This is popular feature among many other visualization platforms (tableau, powerbi, google studio, qlik and more). Please provide us with an assessment of what it would take to implement this feature, I am more than happy to contribute in any way possible!

Thank you in advance,
George

[ynux]

We need this, too.

Use case: The Refugee Datathon Munich Dashboard, running on elastic cloud. https://refugee-datathon-muc.org/english-pages/welcome-to-our-dashboard/. We definitely need our data protected. Our dashboard is on the web.

We prepared a read only role + user for our web visitors, but we have to provide them with a username and a password, and they still have to log in. Web visitors don't like that much, and this means much less usage of our beautiful dashboard. It's possible to give username and password in the browser link to the dashboard, but then their browser will warn them that there's something fishy going on, and it feels even weirder.

[leightonb]

We need something similar, we'd like to be able to embed a dashboard without a login page. We have seen the workarounds using a proxy but are after a solution like '?embed=true&anonymous=true' in the iframe src url. The embedded dashboard does not need any UI elements hidden as it only contains visualisations we've selected and is read-only.

We looked at the new Kibana Spaces hoping for a solution but were unable to have an anonymous Space.

An example use case is visible at https://www.communityinformationexchange.com.au/.

Update:
We got around this with a simple ASP.Net Core Proxy project available at https://github.com/aspnet/AspLabs/tree/master/src/Proxy (not ours)

We used the sample project with the following changes to the Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    services.AddProxy(options =>
    {
        options.PrepareRequest = (originalRequest, message) =>
        {
            message.Headers.Add("X-Forwarded-Host", originalRequest.Host.Host);
            message.Headers.Add("X-Found-Cluster", "<your-cluster-id>");
            message.Headers.Add("Authorization", "Basic <base64_encoded_username:password>");
            return Task.FromResult(0);
        };
    });
}

We then deployed this to a subdomain (e.g. kibanaproxy.yourdomain.com) and changed our iframe src domain from https://clusterid.blah.found.io:5601 to https://kibanaproxy.yourdomain.com, leaving the rest of the url the same. Viewing the use case link above now works without signing in.

[Ralnoc]

This is definitely a very important feature. It is not uncommon for Admins to need to be able to grant read only access to Dashboards, and creating a xpack security disabled Kibana that allows users to create visualizations but not be able to save them isn't a great solution.

From a usability perspective, we really only need to mimic the behavior of creating a read only account that has limited access to specific indices. The only difference being that it is the anonymous user. Then as described, add a configuration item for Kibana of something like xpack.security.anonymous.enable that can be set to true.

The setup for usage would be this:

1. Enable the anonymous user in Elasticsearch
2. Assign anonymous user to the roles that grant read access to the indices & spaces you want everyone to be able to view data from.
3. Set xpack.security.anonymous.enable to true in Kibana

This is how I see the implementation of this to behave for the users:

1. When a user lands on Kibana, they are immediately routed to the kibana.defaultAppId
2. The profile button in the top right corner is instead a Login button.
3. User can navigate to anything as they would as a normal logged in user with limited read access, only as the anonymous user.
4. Caveat to this, it would obviously be preferred if the Anonymous users only had the option to switch spaces if they had access and go to the Dashboards section. All other app interfaces would be disabled.
5. When someone clicks on Login it takes them to the login page and they can log in to use it as a normal user.
6. When they click Logout it switches them over to the anonymous access again.

I hope this feature gets revisited and prioritized soon.

[tomhe]

This is how I see the implementation of this to behave for the users:

Yes, exactly like this. We really need this also. Currently we need to have two Kibana instances:

• one without security enabled where users have read access to dashboards
• one with security enabled with role-based write access to authenticated users

It would be great if we could avoid this and just use the same instance where users are anonymous until they log in.

[siben168]

We need this too, currently there are certain dashboards in my company that we would encourage everyone to use them freely, but a login requirement will sometime make users annoyed since they don't know where to get user name and password.

[antoineberthelin]

Hello, I need it, my proposition:

• In front side, we are able to get bearer for the user using our backend (with /_security/oauth2/token xpack functionality) and include dashboard iframe with bearer
• You could allow the bearer in dashboard iframe URI to avoid proxy on our side ?
  What do you think ?

Thanks