how to setup kibana user credentials with docker elk stack

Question

How to setup login credentials for kibana gui with docker elk stack containers.

What arguments and environmental variables must be passed in docker-compose.yaml file to get this working.

Refer to my awnser if you have a problem, https://stackoverflow.com/a/60873733/4042213 — Ebraheem Alrabeea, Mar 26 '20 at 18:21

score 5 · Answer 1 · edited Sep 25 '21 at 08:18

For setting kibana user credentials for docker elk stack, we have to set xpack.security.enabled: true either in elasticsearch.yml or pass this as a environment variable in docker-compose.yml file.

Pass username & password as environment variable in docker-compose.yml like below:

version: '3.3'

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:6.6.1
    ports:
      - "9200:9200"
      - "9300:9300"
    configs:
      - source: elastic_config
        target: /usr/share/elasticsearch/config/elasticsearch.yml
    environment:
      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
      ELASTIC_USERNAME: "elastic"
      ELASTIC_PASSWORD: "MyPw123"
      http.cors.enabled: "true"
      http.cors.allow-origin: "*"
      xpack.security.enabled: "true"
    networks:
      - elk
    deploy:
      mode: replicated
      replicas: 1

  logstash:
    image: docker.elastic.co/logstash/logstash:6.6.1
    ports:
      - "5044:5044"
      - "9600:9600"
    configs:
      - source: logstash_config
        target: /usr/share/logstash/config/logstash.yml:rw
      - source: logstash_pipeline
        target: /usr/share/logstash/pipeline/logstash.conf
    environment:
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
      xpack.monitoring.elasticsearch.url: "elasticsearch:9200"
      xpack.monitoring.elasticsearch.username: "elastic"
      xpack.monitoring.elasticsearch.password: "MyPw123"
    networks:
      - elk
    deploy:
      mode: replicated
      replicas: 1

  kibana:
    image: docker.elastic.co/kibana/kibana:6.6.1
    ports:
      - "5601:5601"
    configs:
      - source: kibana_config
        target: /usr/share/kibana/config/kibana.yml
    networks:
      - elk
    deploy:
      mode: replicated
      replicas: 1

configs:
  elastic_config:
    file: ./elasticsearch/config/elasticsearch.yml
  logstash_config:
    file: ./logstash/config/logstash.yml
  logstash_pipeline:
    file: ./logstash/pipeline/logstash.conf
  kibana_config:
    file: ./kibana/config/kibana.yml

networks:
  elk:
    driver: overlay

Then add this following lines to kibana.yml:

elasticsearch.username: "elastic"
elasticsearch.password: "MyPw123"

Just in case, `elasticsearch.url` became `elasticsearch.hosts` and expects an array of URL — Vincent Decaux, Mar 24 '21 at 10:21
This will work. Note, however, that this is using the most powerful "elastic" user for all tasks, while there is a sophisticated role concept giving kibana and logstash just the privileges they need. — ynux, Feb 10 '22 at 21:26
Is there any way without using `configs` or custom `Dockerfile`s? (i.e. just using `environment`s) — Mohsenasm, Feb 21 '22 at 07:35

motizukilucas · Answer 2 · 2023-01-06T14:51:46.470

Did not managed to get it working without adding XPACK_MONITORING & SECURITY flags to kibana's container and there was no need for a config file

However I was not able to use kibana user, even after logging in with elastic user and changing kibana's password through the UI.

NOTE: looks like you can't setup default built-in users other than elastic superuser in docker-compose through it's environment. I've tried several times with kibana and kibana_system to no success.

version: "3.7"
services:   
    elasticsearch:
        image: elasticsearch:7.4.0
        restart: always
        ports:
            - 9200:9200
        environment:
            - discovery.type=single-node
            - xpack.security.enabled=true
            - ELASTIC_PASSWORD=123456
    kibana:
        image: kibana:7.4.0
        restart: always
        ports:
            - 5601:5601
        environment:
            - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
            - XPACK_MONITORING_ENABLED=true
            - XPACK_MONITORING_COLLECTION_ENABLED=true
            - XPACK_SECURITY_ENABLED=true
            - ELASTICSEARCH_USERNAME=elastic
            - ELASTICSEARCH_PASSWORD="123456"
        depends_on:
            - elasticsearch

SOURCE

NOTE: looks like this won't work with 8.5.3, Kibana won't accept superuser elastic.

Update

I was able to setup 8.5.3 but with a couple twists. I would build the whole environment, then in elastic's container run the setup-passwords auto

bin/elasticsearch-setup-passwords auto

Grab the auto generated password for kibana_system user and replace it in docker-compose then restart only kibana's container

Kibana 8.5.3 with environment variables:

kibana:
    image: kibana:8.5.3
    restart: always
    ports:
        - 5601:5601
    environment:
        - ELASTICSEARCH_USERNAME="kibana_system"
        - ELASTICSEARCH_PASSWORD="sVUurmsWYEwnliUxp3pX"

Restart kibana's container:

docker-compose up -d --build --force-recreate --no-deps kibana

NOTE: make sure to use --no-deps flag otherwise it will restart elastic container if tagged to kibana's

how to setup kibana user credentials with docker elk stack

2 Answers2

Update