Commit 9592f1dc authored by CI Runner's avatar CI Runner
Browse files

Add kibana limits for client certificates and kerberos

parent 842d0186
......@@ -46,7 +46,7 @@ kerberos_auth_domain:
Depending on the browser you are using, make sure you have configure the Kibana domain correctly for Kerberos authentication. Please refer to the documentation of your browser for further instructions.
## Known Issues
## Known Issues/Limitations
## X-Pack Monitoring
......@@ -56,6 +56,10 @@ Due to a bug regarding handling HTTP error codes 401 and 403 in X-Pack, it is cu
Due to the way HTTP requests are handled by the machine learning module internally, it is currently not possible to use X-Pack Machine Learning with Kerberos.
## Kibana URL shortener
It's currently not possible to use the Kibana URL shortener together with Kibana/SPNEGO due to technical limitations of the Kibana architecture.
## Disabling the replay cache
Kerberos/SPNEGO has a security mechanism called "Replay Cache". The replay cache makes sure that an Kerberos/SPENGO token can be used only once in a certain timeframe. This conflicts with the Kibana request handling, where one browser request to Kibana can result in multiple requests to Elasticsearch.
......
......@@ -62,4 +62,8 @@ elasticsearch.requestHeadersWhitelist: [ "Authorization", "x-forwarded-for", "x-
Regardless which authentication method you choose for your users, the internal Kibana server user will always pass its credentials as base64-encoded HTTP Basic Authentication header. You need to configure at least one Search Guard authentication domain on Elasticsearch side that supports HTTP Basic authentication.
This does not mean that you need to enable Basic Authentication for regular users. The Kibana server user operates under the hood and is independant from user authentication.
\ No newline at end of file
This does not mean that you need to enable Basic Authentication for regular users. The Kibana server user operates under the hood and is independant from user authentication.
## About certificate based authentication
We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture.
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment