About manage user/group in kibana and the mapping to roles-mapping.yml


Recently i installed an X-pah over Elasticsearch and Kibana and I tried to configure security.

Searching into kibana, with "elastic" user, I could see, inside "Management" section, the possibility to create users and groups and assign users to this new groups.

My surprise was that this configuration was totally stored in index .secure of elasticsearch and it not persist over role-mappings.xml.

I dont know how does work exactly the security in this case. In other older versions it only exist roles.yml and roles-mapping.yml to configure, but now, I can configure this files and also roles and users inside x-pack.

I supose that using x-path frontend in kibana to configure roles and users is to make easier the configuration but i dont know.

All this are because in the future i need to join elasticsearch with an active directory and seeing this post https://www.elastic.co/guide/en/shield/shield-1.1/active_directory.html i couldn't see anything about users and roles managed through Kibana x-path frontend.

Somebody know which is the correct way?


Hi @olorasde,

You are correct that the users and roles that can be configured via Kibana and the API are stored in a index. We do not modify the files stored locally via the API or the UI; only the users tool will modify those files.

The role_mapping.yml file is not modified by any tool, API, or UI right now. It needs to be edited in a text editor. In the future we plan to add an API to configure this.

For active directory, you will need to define the realm in the elasticsearch.yml file and then configure the role mappings. The roles themselves can be configured using the UI.

Also, for the most up to date documentation see https://www.elastic.co/guide/en/x-pack/current/active-directory-realm.html

Ok, understood, thx for your answer!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.