Has anyone used IBM AppID on IBM Bluemix.net to auth Kibana users ?
We found this tutorial which uses keycloak, we assume IBM Appid is a similar configuration ?
How do we use IBM Appid to auth Kibana users ?
194 views Asked by Mike Wilcox AtThere are 3 answers
Yes, this is correct. Both App ID and KeyCloak are OAuth2 and OpenID Connect providers. The major difference between them is the fact that KeyCloak is manage-it-yourself software product, while App ID is a fully managed service.
KeyCloak provides a KeyCloak Gatekeeper container image that you should be able to configure as an authentication proxy in front of Kibana and use App ID as your identity provider.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_keycloak_generic_adapter
There are also some other OIDC proxies you might be able to use as well.
Following this blog, you can use the Bell plugin with Kibana to create a custom App Id authentication strategy: https://steemit.com/kibana/@r351574nc3/2am2se-effing-better-auth-with-oauth2-for-elk
Example config:
server.auth.strategy('appid', 'bell', {
config: {
authHost: appid.providerHost,
userInfoUrl: appid.userInfoUrl
},
location: appid.redirectUri,
password: appid.password,
provider: appid.provider,
clientId: appid.clientId,
clientSecret: appid.clientSecret,
});
Quick update.. A couple of options: 1) Search-Guard product, 2) X-Pack or 3) ReadonlyREST (not verified).
And no, there is no free lunch. The OpenSource (Basic) edition does not include Security features you're looking for. The most popular approach, in case if you want to stick with free components, is to put another reverse proxy before the Kibana and do authentication there. Both Apache and Nginx do have modules and solutions that would allow you to do authentication and AppID integration. It is relatively easy if you know what you do. Otherwise, prepare for a bumpy road and that's one of the reasons why aforementioned solutions (X-Pack, SG, ReadonlyREST) might be worth paying for.