Skip to content

Kibana API Tokens #5267

Closed
Closed
Kibana API Tokens#5267
Labels
Team:CorePlatform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t//enhancementNew value added to drive a business result
@Bargs

Description

@Bargs
Bargs
opened on Nov 2, 2015

Now that we're adding REST API endpoints to the Kibana server (see #5199), we need a way to secure them. We need to prevent CSRF, but we can't just generate CSRF tokens per page load because a user might be hitting these endpoints from a client we don't control (e.g. configuration management system automatically bootstrapping a Kibana instance). As a result we'll need to implement an API token system that gives these users access to the API in a secure manner.

Some discussion points:

  • Should these endpoints be accessible by both API token and session + csrf token so the existing Kibana frontend can use them without being converted to use API token?
  • How do we generate the token? Do we use something like JWT?
  • Do we need to persist the token? Where will they be persisted?
  • How do we leverage Shield, since Kibana itself doesn't have a concept of users?

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:CorePlatform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t//enhancementNew value added to drive a business result

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions