Please help to configure how a custom role which contains all privileges is not updated after changing to read only role.
Steps to reproduce:
- First, create a custom role which contains all privileges
curl -XPUT http://server:9200/security/role/CUSTOM_ROLE -H 'Content-Type: application/json' -d'
{
"cluster" : [
"monitor",
"manage_index_templates",
"cluster:admin/xpack/monitoring/bulk",
"manage_saml",
"manage_token",
"manage_oidc",
"cluster:admin/xpack/security/api_key/invalidate",
"grant_api_key",
"cluster:admin/xpack/security/privilege/builtin/get",
"delegate_pki",
"cluster:admin/ilm/get",
"cluster:admin/ilm/put",
"manage_ml",
"cluster:admin/analyze"
],
"indices" : [
{
"names" : [
".kibana*",
".reporting-"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
".monitoring-"
],
"privileges" : [
"read",
"read_cross_cluster"
],
"allow_restricted_indices" : false
},
{
"names" : [
".management-beats"
],
"privileges" : [
"create_index",
"read",
"write"
],
"allow_restricted_indices" : false
},
{
"names" : [
".ml-anomalies*",
".ml-notifications*",
".ml-stats-"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
},
{
"names" : [
".ml-annotations"
],
"privileges" : [
"read",
"write"
],
"allow_restricted_indices" : false
},
{
"names" : [
".apm-agent-configuration"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
".apm-custom-link"
],
"privileges" : [
"all"
],
"allow_restricted_indices" : false
},
{
"names" : [
"apm-"
],
"privileges" : [
"read",
"read_cross_cluster"
],
"allow_restricted_indices" : false
},
{
"names" : [
""
],
"privileges" : [
"view_index_metadata",
"monitor"
],
"allow_restricted_indices" : false
},
{
"names" : [
".logs-endpoint.diagnostic.collection-*"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all"
],
"resources" : [
"space:default"
]
}
],
"run_as" : ["_anonymous"],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
'
- Assign this role to anonymous user in elasticsearch.yml file
- xpack.security.authc.anonymous.roles: CUSTOM_ROLE
- Restart Elasticsearch
- Log into Kibana to verify all features are displayed.
- Now update this role to Read Only role
curl -X PUT http://server:9200/security/role/CUSTOM_ROLE -H 'Content-Type: application/json' -d'
{
"cluster" : ,
"indices" : [
{
"names" : ,
"privileges" : [
"view_index_metadata",
"read"
],
"field_security" : {
"grant" : [
"*"
],
"except" :
},
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all"
],
"resources" : [
"space:default"
]
}
],
"run_as" : ["anonymous"],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
' - Restart Elasticsearch
- Login back to Kibana to verify that there should be ONLY read only Kibana features displayed (NO Stack Management feature)
*** Actual Results: ALL features of Kibana are displayed. A read only role seems not updated.