Web app authentication and securing a separate web API (elasticsearch and kibana)

2
votes

I have developed a web app that does its own user authentication and session management. I keep some data in Elasticsearch and now want to access it with Kibana.

Elasticsearch offers a RESTful web API without any authentication and Kibana is a purely browser side Javascript application that accesses Elasticsearch by direct AJAX calls. That is, there is no "Kibana server", just static HTML and Javascript.

My question is: How do I best implement common user sign on between the existing web app and Elasticsearch?

I am interested in specific Elasticsearch/Kibana solutions, but also in generic designs for single sign on to web apps and the external web APIs they use.

It seems the recommended way to secure Elasticsearch/Kibana is to have an Apache or Nginx reverse proxy in front that does SSL termination and user authentication (Basic auth). However, this doesn't play too well with the HTML form user authentication in my existing web app. Ideally I would like the user to sign on using the web app, and then be allowed direct access to the Elasticsearch API as well.

Solutions I've thought of so far:

  1. Proxy everything in the web app: Have all calls go to the web app (server) which does the authentication, and have the web app issue the same request to the Elasticsearch web API and forward the response back to the browser.
  2. Have the web app (server) store session info that Apache or Nginx somehow can look up and use to authorize access to the reverse proxy.
  3. Ditch web app sign on and use basic auth for everything.

Note that this is a single installation, so I don't really need any federated SSO solutions.

My feeling is that the proxy within web app (#1) is a common generic solution, but it seems a bit heavyweight to have everything pass through the possibly slow web app, considering that Kibana uses the Elasticsearch API directly.

I haven't found an out of the box solution designed for the proxy authentication setup (#2). My idea is to have the web app store session info in memcache or the like and use some facility in the web server (Apache or Nginx) to look up the session based on a cookie and allow proxy access if authenticated.

The issue seems similar to serving static files directly using the web server (Apache or Nginx) while authenticating using a slow web app. Recommendations I've found for that are however very specific to that issue, like X-Sendfile.

1
ajaxsecurityelasticsearchkibana
You can use github.com/sonian/elasticsearch-jetty plugin.progrrammer
I am currently proxying everything in the web app (#1), but still maintain hope that somebody will come up with a beatiful web server internal solution (#2).Anton

1 Answers

0
votes

You could use a sessionToken. This is a quite generic solution. Let me explain this. When the user logs in, you store a random string an pass him back to him. Each time the user tries to interact with your api you ask for the session Token you gave him. If it matches, you provide the service he is asking for, else, you just ignore his call. You should make session token expire in a certain interval of time and make a new one each time the user logs back in.

Hope this helps you.