Authentication for Elasticsearch and Kibana
Danger
This documentation applies to a deprecated product. Chef Automate includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features. Chef Automate is included as part of the Workflow license agreement and is available via subscription.
Node data in Chef Automate is stored in Elasticsearch and viewable in the Chef Automate UI as well as Kibana. Access to Chef Automate’s Elasticsearch and Kibana is protected by the same authentication used by the Chef Automate user interface. Elasticsearch authentication is enabled by default.
Note
As of Chef Automate 1.6.87, Kibana is no longer enabled by default. To enable it, see the Kibana setup documentation. In prior versions of Chef Automate, Kibana and its authentication are enabled by default.
How It Works
- User logs into the Chef Automate UI normally.
- Chef Automate stores information about the user’s session in browser local storage as well as a browser cookie.
- If authentication is enabled for Elasticsearch or Kibana, Chef Automate’s web server will look for the session cookie and validate the session is valid and active.
- If the session is valid and active, the request is permitted.
- If the session is invalid, or if no session information is present, the
server returns a
401 Unauthorized
message.
Accessing Elasticsearch with Authentication - Node Visibility UI
The Automate node visibility UI performs a number of queries to Elasticsearch in order to present the node visibility data. The Chef Automate server will validate each of the Elasticsearch requests with the session cookie information as described in the How It Works section above.
Accessing Elasticsearch with Authentication - API/CLI
If you wish to access Elasticsearch via your Chef Automate server via a
CLI tool (such as curl
) or an API client (such as
elasticsearch-ruby),
you must pass three additional HTTP headers in your requests for your
request to be properly authenticated:
chef-delivery-user
: the Chef Automate username for whom a token has been generatedchef-delivery-token
: a valid token generated for the userchef-delivery-enterprise
: the Chef Automate enterprise name. This is the string after the/e/
in your Chef Automate URLs.
Example: if your Workflow dashboard URL is https://my-automate-server.mycompany.biz/e/coolcompany/#/dashboard
and your enterprise is coolcompany
.
To generate a token, use the delivery token
command of the Delivery
CLI.
For example, to pass the required headers using curl:
curl https://my-automate-server.mycompany.biz/elasticsearch/_cat/indices -H "chef-delivery-user: myuser" -H "chef-delivery-enterprise: coolcompany" -H "chef-delivery-token: s00pers33krett0ken"
Accessing Kibana with Authentication
Your browser must have a valid cookie containing a valid token before access to Kibana will be permitted. If you encounter a “401 Unauthorized” error message, follow these steps:
- Log into the Chef Automate UI normally.
- Change your browser URI to
/kibana
.
Example: https://my-automate-server.mycompany.biz/kibana
Configuration
Warning
If you wish to disable authentication for either Kibana or
Elasticsearch, you may use the following configuration parameters in
your /etc/delivery/delivery.rb
configuration file:
elasticsearch['enable_auth']
: Iftrue
, a valid user/enterprise/token must be supplied in a cookie or in HTTP headers for the request to be accepted and passed to Elasticsearch. Iffalse
, all Elasticsearch queries are permitted without authentication. Default:true
kibana['enable_auth']
: Iftrue
, a valid user/enterprise/token must be supplied in a cookie or in HTTP headers for access to be granted to the Kibana UI. Iffalse
, all Kibana access is permitted without authentication. Default:true