[6.1.1] User Management: Field/Document Level Security + Multi-Tenancy

Elastic Stack Elasticsearch
1

Hello!

I'm having some issues configuring users and roles using Kibana 6.1.1 + X-Pack. Here's my config:

User:

{
   "limited-user": {
    "username": "limited-user",
    "roles": [
      "limited-user",
      "kibana_user"
    ],
    "full_name": "limited-user",
    "email": "limited-user@test.com",
    "metadata": {},
    "enabled": true
  }
}

Role:

{
  "limited-user": {
    "cluster": [],
    "indices": [
      {
        "names": [
          "my-index*"
        ],
        "privileges": [
          "read"
        ],
        "field_security": {
          "grant": [
            "valortabela",
            "vltotnota",
            "dt_fatur_",
            "escrv"
          ]
        },
        "query": """{"term": {"escrv": "37"}}"""
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

This config is great to limit visualization values itself, but it doesn't hide fields from dropdown lists. For instance, in this case, the user can see all fields available in the index:
34

Also, this user can edit other user’s visualizations (e.g.: modify a field axis from someone’s graph) - this is allowed by “kibana_user” role in his profile. Is there some role config I can use to limit this action? This user should be able to create/edit his own visualizations only, and be able to access other users visualizations as well, but not modify them.

It would be also nice if we could configure a user/role whose dashboard shows only the “Visualize” and “Dashboard” options in left menu. It seems that “kibana_dashboard_olnly” role doesn’t show the “Visualize” menu.

Is there any config in X-Pack permissions I could use to solve the issues above?

Thanks!

2

Hi Gustavo, thanks for these questions! I'll try to answer them in order.

This config is great to limit visualization values itself, but it doesn't hide fields from dropdown lists. For instance, in this case, the user can see all fields available in the index

This is a quirk of how we've implemented index patterns in Kibana. We're actively working on addressing this in a future release. You can follow Remove index pattern mapping cache · Issue #6498 · elastic/kibana · GitHub as a proxy for our progress on this.

Also, this user can edit other user’s visualizations (e.g.: modify a field axis from someone’s graph) - this is allowed by “kibana_user” role in his profile. Is there some role config I can use to limit this action?

Unfortunately, document-level security can only be used to restrict read/write access, and not one or the other, for the time being. Another feature on our radar.

It seems that “kibana_dashboard_olnly” role doesn’t show the “Visualize” menu.

Yes, this is correct. We're also aware that a feature allowing you to specify which apps a user has access to would be a good one!

I wish I could give you more satisfying answers, but I hope this at least clarifies things.

Thanks,
CJ

3

Hi CJ, thanks for your help! It's good to know that these features are on Elastic's radar.

About the Kibana menus list, is there some way I can change them through front-end code? I know the complete feature would be something associated with user-permission level, but for now I'm just thinking about hiding some menus completely.

Thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.