Simplify anonymous access & embedding docs.

[azasypkin]

Summary

Since #86965 is merged and we now have a more user-friendly approach to anonymously share dashboards, visualizations and saved searches, we shouldn't expose internal implementation details anymore.

Preview: https://kibana_90409.docs-preview.app.elstc.co/guide/en/kibana/master/kibana-authentication.html#anonymous-authentication

[elasticmachine]

Pinging @elastic/kibana-docs (Team:Docs)

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

What do you think about including a screenshot of this switch within the embedding menu? That would help users discover the feature if they haven't used/seen the embedding menu before.

[azasypkin]

Yep, was hesitating about that (quickly may become outdated and such), but since you mentioned.... I'll add it.

[legrego]

Yeah I share your concerns about outdated screenshots. I struggle with the decision every time I write docs, too

[gchaps]

I agree that a screenshot is needed here.

[gchaps]

I agree that a screenshot is needed here.

[gchaps]

Can we mention the saved objects it applies to and which apps the menu item is available from?

Suggested change

	If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding dashboards or visualizations, then toggle `Public URL` switch presented in the embedding menu.
	If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding dashboards, visualizations, and saved searches, then toggle *Public URL* in the *Share > Embed code* menu in *Dashboard*, *Visualize*, or *Discover*.

[azasypkin]

If you have multiple authentication providers enabled, and you want to automatically log in anonymous users when embedding dashboards, visualizations, and saved searches, then toggle Public URL in the Share > Embed code menu in Dashboard, Visualize, or Discover.

Thanks, but will omit saved searches and Discover since we don't support embedding for them.

[gchaps]

++

[gchaps]

Suggested change

	You can also use `Public URL` switch when you're generating permanent links to dashboards, visualizations or saved searches.
	You can also use the *Public URL* toggle when you're generating permanent links to dashboards, visualizations, and saved searches.

[gchaps]

Suggested change

	NOTE: `Public URL` switch is only available if anonymous access is properly configured and anonymous service account has enough privileges to access what you want to embed or share.
	NOTE: The *Public URL* toggle is only available if anonymous access is properly configured and your anonymous service account has privileges to access what you want to embed or share.

[gchaps]

Is it worth explaining what some of these considerations are?

[jportner]

I'll chime in here -- I think we should reword this. Nothing is zero-risk, and this statement could be misinterpreted. How about this?

Suggested change

	Embedding through iframes, if used properly, does not directly pose a security risk, but still requires a careful consideration.
	Embedding content through iframes requires careful consideration to minimize security risks. By default, modern web browsers enforce the
	https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy[same-origin policy] to restrict the behavior of framed pages. When
	{stack-security-features} are enabled on your cluster, you must relax this constraint for cookies as described below for {kib} to function
	in an iframe. See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe[iframe] and
	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite[SameSite cookies] documentation for more information.

Note that we have a few links to MDN docs here, which there is precedent for in some other docs.

[azasypkin]

Note that we have a few links to MDN docs here, which there is precedent for in some other docs.

MDN is the well-known and trusted source of such information, I assume it should be fine. @gchaps do you have any concerns?

[gchaps]

It would be good to provide some information about why you would want to embed a Kibana dashboard or visualization. Can you also embed saved searches?

[azasypkin]

It would be good to provide some information about why you would want to embed a Kibana dashboard or visualization.

Sure, let me think how to phrase that properly.

Can you also embed saved searches?

Technically you can embed anything. You just create an iframe and put any Kibana URL there assuming it works for your use case and you don't mind the risk of breaking it in any release.

I'd say we want to encourage our users to embed only what we officially support and provide advanced sharing controls for. But we also know that some users will still embed Kibana in very surprising ways. These are the users we're targeting in the section with auth_provider_hint.

[jportner]

I like the content, but I had to read three different pages a few times before I really understood how to do this using the ES anonymous user ("Embedding Kibana", "Authentication in Kibana", "Enabling anonymous access"). The fact that there are several ways to configure anonymous authentication in Kibana (one of which requires ES to have anonymous access enabled too) is a bit overwhelming IMO. High level feedback:

"Authentication in Kibana"

I like this page as-is, it does a great job explaining the different options. This is a good example of "Reference" documentation IMO:

I can't comment on this inline because this part of the page hasn't been changed in this PR, but the only complaint I have is the part in the Anonymous Authentication section where it says "There are three ways to specify these credentials:". It really specifies four ways to configure anonymous authentication. Is there a better way we can organize that? Perhaps split it up with sub-headings with something like this?

1. Anonymous authentication with a user account
   a. With username and password
   b. With an API key (base64-encoded id:api_key string)
   c. With an API key (id and api_key values)
2. Anonymous authentication using Elasticsearch anonymous access

"Embedding Kibana"

I like this page, but as I alluded above, I was not able to easily figure out what to do by reading it. In the quad chart above, this reads like "Reference" documentation. I think we really need this page to be more of a "How-to Guide". If a user is coming to this page, they likely want to figure out exactly what to do to embed Kibana in a webpage. I'd prefer if we could outline all the steps to do so:

1. Create a user account
2. Create a role for this user account (assign it minimal privileges)
3. Reconfigure Kibana to add an anonymous auth provider that utilizes this account
4. Open a dashboard and get the embeddable iframe code

WDYT?

[gchaps]

+1 for a how-to guide.

[azasypkin]

These are all great ideas @jportner, thanks! I feel that the scope of this PR is significantly drifting away from the initial goal though. The goal was to recommend using Public URL switch instead of manually adding auth_provider_hint query string parameter when anonymous access is enabled and do some groundwork for the embedding docs so that authentication section can reference to it. But it sounds like my "better-some-docs-than-no-docs" plan didn't work out and sparse embedding section just adds more confusion.

I think I'll just stick to the initial plan and completely remove embedding section from this PR to unblock it and try to come up with a how-to guide for embedding in the near future. Does that sound good?

I'd prefer if we could outline all the steps to do so:

1. Create a user account
2. Create a role for this user account (assign it minimal privileges)
3. Reconfigure Kibana to add an anonymous auth provider that utilizes this account
4. Open a dashboard and get the embeddable iframe code

I believe we want to endorse using SSO for embedding as the easiest (no need to configure anonymous service account separately), the most flexible (different users may see different things) and the safest approach (less risk to give too much privileges to the anonymous service account in attempt to cater the needs of all user groups in a single account). I still see embedding with the anonymous access as the fallback when SSO isn't an option, a necessary evil if you will.

That's why I'd like the How-To guide to start from the praise to SSO approach and only then mention anonymous access with all the steps you suggested. I don't have the full picture of how that guide should look like in my head yet, so I'll make a step back and think a little bit more.

[jportner]

I feel that the scope of this PR is significantly drifting away from the initial goal though.

Yeah, sorry about that!

I think I'll just stick to the initial plan and completely remove embedding section from this PR to unblock it and try to come up with a how-to guide for embedding in the near future. Does that sound good?

Honestly I think the embedding page has valuable content and we should keep it until we can reorganize/rewrite it in a How-To Guide style.

That's why I'd like the How-To guide to start from the praise to SSO approach and only then mention anonymous access with all the steps you suggested. I don't have the full picture of how that guide should look like in my head yet, so I'll make a step back and think a little bit more.

You make a good argument! I'd be happy to help write this up, let me know 😄

[azasypkin]

Honestly I think the embedding page has valuable content and we should keep it until we can reorganize/rewrite it in a How-To Guide style.

Good, I'll keep it here then.

You make a good argument! I'd be happy to help write this up, let me know smile

Thanks! I'll create a draft PR once we are done with this one.

[gchaps]

I like the new content! Here is a suggestion that moves things around a bit and removed some of the things that felt a little negative. In the second para, I suggest leading with the Kibana embedding functionality and putting the instructions in the order that that users sees them. Also, the part about adding context felt more natural here.

Once you create a dashboard or a visualization, you might want to share it with your colleagues or friends. The easiest way to do this is to share a direct link to your dashboard or visualization. However, some users might not have access to your {kib}.

With the {kib} embedding functionality, you can display the content you created in {kib} to an internal company website or a personal web page. From Dashboard or Visualize, open the Share > Embed code menu, and then click Copy iFrame code to generate an HTML code snippet. You can embed in this snippet in your web page, and then add analysis, images, and links to give more context to the object you're sharing.

[azasypkin]

Sounds much better, thanks!

[gchaps]

Embedding {kib} content in a web page?

[wylieconlon]

This page looks very useful! Why is it organized as part of setup instead of being part of dashboards?

[azasypkin]

Embedding {kib} content in a web page?

Yeah, sounds good, thanks.

This page looks very useful! Why is it organized as part of setup instead of being part of dashboards?

Basically setup was the only existing top-level section that can potentially cover all parts of Kibana. The idea was to eventually describe everything that can be embedded in one way or another: dashboards, visualizations, canvas, or any random part of Kibana that can technically be embedded (we know people do this).

[gchaps]

We are planning on creating a Share section in the documentation. Would this doc be a good candidate for that?

[azasypkin]

Yes, I think so.

[KOTungseth]

Does this PR cover #18226?

[jportner]

Does this PR cover #18226?

@KOTungseth No, but as mentioned in #90409 (comment) we are planning on making a How-To guide that would focus on the SSO (external auth provider) use case. We'll open a new PR and link it to that issue, thanks!

[gchaps]

LGTM

[gchaps]

Suggested change

	== Embedding {kib} content in a web page
	== Embed {kib} content in a web page

[jportner]

🎉

[azasypkin]

Thanks a lot for review @gchaps @jportner @legrego !

[kibanamachine]

💚 Backport successful

✅ 7.11 / #92352
✅ 7.12 / #92353

Successful backport PRs will be merged automatically after passing CI.

[jportner]

It looks like we backported these docs to 7.11, even though the Public URL switch (from the linked PR) is only available in 7.12+ 🙈

I'll push a PR to update the 7.11 docs accordingly.

[azasypkin]

Ugh, thanks @jportner for catching this!