GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → gnuhpc → kibana-multitenant-proxy

gnuhpc / kibana-multitenant-proxy

Licence: other
A proxy behind nginx while before kibana (4.x, 5.x) to provide data isolation for different users

Programming Languages

javascript
184084 projects - #8 most used programming language
shell
77523 projects

Labels

securityelasticsearchkibanaauthenticationproxyelkauthorizationmultitenant

Projects that are alternatives of or similar to kibana-multitenant-proxy

deflek
index and API RBAC for Elasticsearch and Kibana via reverse proxy. DEPRECATED
Stars: ✭ 13 (-48%)
Mutual labels:  kibana, elk, authorization
Elk Docker
Elasticsearch, Logstash, Kibana (ELK) Docker image
Stars: ✭ 1,973 (+7792%)
Mutual labels:  kibana, elk
Elk Stack
ELK Stack ... based on Elastic Stack 5.x
Stars: ✭ 148 (+492%)
Mutual labels:  kibana, elk
Microservice Scaffold
基于Spring Cloud(Greenwich.SR2)搭建的微服务脚手架(适用于在线系统),已集成注册中心(Nacos Config)、配置中心(Nacos Discovery)、认证授权(Oauth 2 + JWT)、日志处理(ELK + Kafka)、限流熔断(AliBaba Sentinel)、应用指标监控(Prometheus + Grafana)、调用链监控(Pinpoint)、以及Spring Boot Admin。
Stars: ✭ 211 (+744%)
Mutual labels:  kibana, elk
Docker Elk
The Elastic stack (ELK) powered by Docker and Compose.
Stars: ✭ 12,327 (+49208%)
Mutual labels:  kibana, elk
Terraform Aws Elasticsearch
Terraform module to provision an Elasticsearch cluster with built-in integrations with Kibana and Logstash.
Stars: ✭ 137 (+448%)
Mutual labels:  kibana, elk
Elastiflow
Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
Stars: ✭ 2,322 (+9188%)
Mutual labels:  kibana, elk
Search Guard Docs
Official documentation for Search Guard, the Elasticsearch security suite
Stars: ✭ 92 (+268%)
Mutual labels:  kibana, elk
search-guard-module-kibana-multitenancy
[OUTDATED] Provide multitenancy and other features for kibana
Stars: ✭ 15 (-40%)
Mutual labels:  kibana, elk
elk-dashboard-v5-docker
My production setup for the latest version of ELK stack running in a compose, displaying a basic -but powerfull- security and performance dashboard.
Stars: ✭ 25 (+0%)
Mutual labels:  kibana, elk
Elastic
Elastic Stack (6.2.4) 을 활용한 Dashboard 만들기 Project
Stars: ✭ 121 (+384%)
Mutual labels:  kibana, elk
ELK-Hunting
Threat Hunting with ELK Workshop (InfoSecWorld 2017)
Stars: ✭ 58 (+132%)
Mutual labels:  kibana, elk
Elasticambari
Elastic Service for Ambari
Stars: ✭ 108 (+332%)
Mutual labels:  kibana, elk
Json Logging Python
Python logging library to emit JSON log that can be easily indexed and searchable by logging infrastructure such as ELK, EFK, AWS Cloudwatch, GCP Stackdriver
Stars: ✭ 143 (+472%)
Mutual labels:  kibana, elk
Search Guard Kibana Plugin
This plugin for Kibana adds session management and multi tenancy to a Search Guard secured cluster.
Stars: ✭ 107 (+328%)
Mutual labels:  kibana, elk
Synesis lite suricata
Suricata IDS/IPS log analytics using the Elastic Stack.
Stars: ✭ 167 (+568%)
Mutual labels:  kibana, elk
Sentinl
Kibana Alert & Report App for Elasticsearch
Stars: ✭ 1,233 (+4832%)
Mutual labels:  kibana, elk
Ansible Elk Playbook
A playbook for setting up the ELK Stack + beats log shippers on Ubuntu 16.04 and above
Stars: ✭ 83 (+232%)
Mutual labels:  kibana, elk
rubban
Kibana Automatic Index Pattern Discovery and Other Elastic Stack Curating Tasks
Stars: ✭ 49 (+96%)
Mutual labels:  kibana, elk
docker elk stack
Docker images to run an ELK stack
Stars: ✭ 24 (-4%)
Mutual labels:  kibana, elk
View All Similar Projects ➔

"# kibana-multitenant-proxy"

该Proxy实现Kibana4.x/5.x 访问Elasticsearch时数据的多租户数据访问隔离(一个用户只能看到限定的index)、字段脱敏、单Index查询范围限制等功能。欢迎试用和pr,提出宝贵意见和Star~

离线包还未上传,请稍候, 着急用的可以先在线安装后自己打包放到无法连接互联网的环境中即可~

A proxy behind nginx while before kibana to provide data isolation for different users

##Why Nodejs? 因为Kibana发行版自带了一个node,为了部署简便并且鉴于Kibana实际访问不会有太大的并发量,因此选择NodeJS,并非对此语言熟悉。

##架构图

  • 如图所示,通过将Kibana的配置文件kibana.yml配置为server.host: "localhost" ,可以屏蔽本地地址之外的IP对Kibana的5601端口进行访问,从而保证本地地址之外的IP只能通过9999和对Kibana进行访问,而通过代理的访问将是可控的,并且有相应访问日志可供查询。
  • 代理借助Nginx的Basic Auth实现了用户的认证。
  • 客户端浏览器通过9999端口访问Kibana时,首先需要进行用户认证,Nginx验证通过后,Kibana Proxy对请求中的用户名和访问的Index进行校验,只有符合权限的请求才会被放行,实现了不同用户组的数据隔离。用户名和所能访问的index前缀,例如配置了logstash-cbank权限后,该用户将可以访问所有以logstash-cbank开头的index,如logstash-cbank-2016.08.26等。

##安装准备

  • 安装nodejs(安装完Kibana即可)
  • 离线安装包kibana_proxy.tar.gz
  • 若无离线安装包亦可连接至公网通过npm进行在线下载

##安装步骤

  • 离线模式:解压kibana_proxy.tar.gz
  • tar -zxvf kibana_proxy.tar.gz
  • 在线模式:通过npm安装
  • npm install kibana_proxy
  • 添加环境变量:将nodejs路径添加到PATH中
  • export PATH=/logger/kibana-4.5.1-linux-x64/node/bin:$PATH
  • 运行
  • 进入工程目录 cd kibana_proxy
  • 启动 nohup node app.js &
  • 显示 The proxy is listening on port xxxx 说明启动成功

##代理配置

  • kibana_proxy配置采用json格式,相关信息配置在config.json文件中
    • "port": "8888", 代理监听端口
    • "refreshPort": "8889", 配置以及用户信息刷新监听端口
    • "kibanaServer": "http://127.0.0.1:5601",后端指向kibana地址以及端口
    • "es_Server":"http://127.0.0.1:9201/", ElacticSaearch地址以及端口
    • "es_UserInfoUrl":"http://127.0.0.1:9201/.user/user_info/", 存放用户权限的地址
    • "chkTimeRange":"false", 配置是否开启查询时间跨度检查
    • "totalNum":40000, 当开启时间跨度检查时,单次查询最大支持的数据记录数
    • "dataMask":"true", 配置是否开启数据脱敏
    • 数据脱敏配置dataMaskConfig支持多个index前缀以及多个字段,并且支持正则表达式匹配,如下所示,将index前缀为logstash-sfshm的index中message字段里所有的2016替换为xxxx,@version字段中所有的1替换为x
    • {"indexPrefix":"logstash-sfshm","maskFields":[{"maskField":"message","maskReg":"/2016/g","maskValue":"xxxx"},{"maskField":"@version","maskReg":"/1/g","maskValue":"x"}]},

##使用注意事项

  • Nginx相关配置
    • 本代理借助Nginx的Basic Auth实现了用户的认证,需要使用htpassword在Nginx服务器端生成用户密码文件,可使用附带shell脚本进行快速配置,可使用三个参数: sh add_user_inES.sh 用户名 密码 可访问的index前缀 (如果用户名为root,则可以访问所有index)
    • 本代理在架构层面位于Nginx和Kibana之间,需要在Nginx中配置相应的端口映射,将用户访问的Nginx端口映射至proxy监听端口
  • Kibana相关配置
    • 通过将Kibana的配置文件kibana.yml配置为server.host: "localhost" ,可以屏蔽本地地址之外的IP对Kibana的5601端口访问,从而保证本地地址之外的IP只能通过Nginx和代理对Kibana进行访问,而通过代理的访问将是可控的,并且Nginx有相应访问日志可供查询
  • Proxy相关配置信息刷新
    • 代理启动时会对用户权限和相关配置信息进行同步,如果在运行状态,需要刷新相关信息,可访问代理的8889端口(可以进行配置)进行刷新
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].