Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Clarify elasticsearch.requestHeadersWhitelist setting #16254

Closed
pickypg opened this issue Jan 24, 2018 · 1 comment · Fixed by #52675
Closed

[DOCS] Clarify elasticsearch.requestHeadersWhitelist setting #16254

pickypg opened this issue Jan 24, 2018 · 1 comment · Fixed by #52675
Assignees
@gchaps
Labels
good first issue low hanging fruit Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Docs

Comments

@pickypg
Copy link
Member

pickypg commented Jan 24, 2018

In the current docs, we show do not really explain the ramifications of changing elasticsearch.requestHeadersWhitelist.

https://www.elastic.co/guide/en/kibana/current/settings.html

elasticsearch.requestHeadersWhitelist:
Default: [ 'authorization' ] List of Kibana client-side headers to send to Elasticsearch. To send no client-side headers, set this value to [] (an empty list).

This is further compounded by the example kibana.yml showing a similar comment:

kibana/config/kibana.yml

Lines 68 to 70 in 39994b4

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

It sounds a lot more secure to send no headers, but it means that you can never authenticate a request against an instance of Elasticsearch that requires Basic Authentication.

We should probably note that removing the authorization header from being whitelisted means that you cannot use Basic Authentication from Kibana.
@pickypg pickypg added Team:Docs good first issue low hanging fruit labels Jan 24, 2018
@nityanandagohain
Copy link

I want to work on this

@LeeDr LeeDr added the Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc label Aug 14, 2018
@gchaps gchaps mentioned this issue Dec 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gchaps gchaps

Labels
good first issue low hanging fruit Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[DOCS] Updates description of elasticsearch.requestHeadersWhitelist gchaps/kibana
4 participants
@pickypg @LeeDr @nityanandagohain @gchaps