kolla

kibana has no authentication

Bug #1556487 reported by Steven Dake
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Fix Released
Critical
Alicja Kwasniewska
kolla newton-1 "n1"
Mitaka
Fix Released
Critical
Alicja Kwasniewska
kolla mitaka-rc3 "mitaka-rc3"

Bug Description

Kibana has no authentication. One easy solution to fix this is to serve Kibana via Apache. Then the standard apache basic authentication methods can be used. Further Kibana can be made to use TLS authentication, as is currently done with Apache.

Then we can revert #1554977. #1554977 is a bit insecure because it requires giving access to the management network anyone that may want to look at the Kibana logs. Ideally the Kibana service would only be on the external network.

An example Apache authentication:
Listen 5601
<VirtualHost *:5601>
  ServerName localhost
  DocumentRoot /usr/share/kibana
  <Directory /usr/share/kibana>
    AuthType Basic
    AuthName "Access Restricted"
    AuthBasicProvider file
    AuthUserFile /etc/httpd/conf.d/elk_password
    Require valid-user
    </Directory>

Revision history for this message
Steven Dake (sdake) wrote :

Changing to critical and assigning to our kibana expert because this is a security defect.

Regards
-steve

Changed in kolla:
status: New → Confirmed
milestone: none → mitaka-rc1
importance: Undecided → Critical
assignee: nobody → Alicja Kwasniewska (alicja-kwasniewska)
Revision history for this message
Alicja Kwasniewska (alicja-kwasniewska) wrote :

Some issues/solutions/ideas:
1. Kibana 3 can be served via Apache, but this is an old version of Kibana.
2. Kibana 4 comes with a little Node.js server app that is between the Kibana UI and the Elasticsearch backend, so it is not possible to serve it via Apache.
3. It is possible to use Nginx as a proxy for Kibana 4.
4. I t is possible to use Shield (from Elastic group), which now provides security for the entire Elastic Stack and includes a Kibana plugin that features a login screen and session support.

At first we decided to try solution 4.

Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-rc1 → mitaka-rc2
Revision history for this message
Steven Dake (sdake) wrote :

Alicja,

I'm open to any solution that implements at minimum a password to access the dashboard.

Steven Dake (sdake)
tags: added: rc-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (master)

Fix proposed to branch: master
Review: https://review.openstack.org/296068

Changed in kolla:
status: Confirmed → In Progress
Steven Dake (sdake)
Changed in kolla:
milestone: mitaka-rc2 → newton-1
tags: removed: rc-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/296650

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (master)

Reviewed: https://review.openstack.org/296650
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=ba62740a9375e52af074ca75c56ef1bafdd735af
Submitter: Jenkins
Branch: master

commit ba62740a9375e52af074ca75c56ef1bafdd735af
Author: akwasniewska <email address hidden>
Date: Wed Mar 23 12:02:49 2016 +0100

    Add kibana authentication using HAproxy

    Change-Id: Ib501571dd34cb68924775ce738499d63df5718dd
    Closes-Bug: 1556487

Changed in kolla:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/297649

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla (master)

Change abandoned by Alicja Kwasniewska (<email address hidden>) on branch: master
Review: https://review.openstack.org/296068
Reason: replaced by authentication added in haproxy

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla (stable/mitaka)

Reviewed: https://review.openstack.org/297649
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=bdd3d1f037da53dc7b2443f34334bfffd4c0148f
Submitter: Jenkins
Branch: stable/mitaka

commit bdd3d1f037da53dc7b2443f34334bfffd4c0148f
Author: akwasniewska <email address hidden>
Date: Wed Mar 23 12:02:49 2016 +0100

    Add kibana authentication using HAproxy

    Change-Id: Ib501571dd34cb68924775ce738499d63df5718dd
    Closes-Bug: 1556487
    (cherry picked from commit ba62740a9375e52af074ca75c56ef1bafdd735af)

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 2.0.0

This issue was fixed in the openstack/kolla 2.0.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 1.1.0

This issue was fixed in the openstack/kolla 1.1.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/kolla 3.0.0.0b1

This issue was fixed in the openstack/kolla 3.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.