All the apps of kibana are visible in kibana_dashboard_only_user mode

I have created a user and assigned it "kibana_dashboard_only_user" role. But, when I login as this user, I am still able to view all the other apps that kibana provides like Discover, Visualise, etc. I would like to just see the dashboard app without any edit rights which is precisely what the "kibana_dashboard_only_user" role should do according to the documentation and this blog.

Need this urgently. Please help and ask for more details if required.

What is your kibana version ?
Can you show role of user in security management?

Kibana Version: 6.0.1

Here in the snapshot, you can see the role of the user "visitor". Also, I am logged in as this user only and all apps of kibana are visible.

Can somebody please help? Need this on an urgent basis.

Hi Rishabh,

I can't reproduce what you are seeing with 6.0.1. Can you please run the following from the Dev Tools tab

GET /_xpack/security/role

GET /_xpack/security/user/visitor

and share the output here ?

On running GET /_xpack/security/user/visitor, the output is:

{
"visitor": {
"username": "visitor",
"roles": [
"kibana_dashboard_only_user"
],
"full_name": "GIaaS Visitor",
"email": "abc@xyz.com",
"metadata": {},
"enabled": true
}
}

On running GET /_xpack/security/role, the output is:

{
"kibana_dashboard_only_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana*"
],
"privileges": [
"read",
"view_index_metadata"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_admin": {
"cluster": [
"manage_watcher"
],
"indices": [
{
"names": [
".watches",
".triggered_watches",
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_user": {
"cluster": [],
"indices": [
{
"names": [
".kibana
"
],
"privileges": [
"manage",
"read",
"index",
"delete"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_user": {
"cluster": [
"monitor_ml"
],
"indices": [
{
"names": [
".ml-anomalies*",
".ml-notifications"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"remote_monitoring_agent": {
"cluster": [
"manage_index_templates",
"manage_ingest_pipelines",
"monitor",
"cluster:monitor/xpack/watcher/watch/get",
"cluster:admin/xpack/watcher/watch/put",
"cluster:admin/xpack/watcher/watch/delete"
],
"indices": [
{
"names": [
".monitoring-"
],
"privileges": [
"all"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"machine_learning_admin": {
"cluster": [
"manage_ml"
],
"indices": [
{
"names": [
".ml-
"
],
"privileges": [
"view_index_metadata",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"watcher_user": {
"cluster": [
"monitor_watcher"
],
"indices": [
{
"names": [
".watches"
],
"privileges": [
"read"
]
},
{
"names": [
".watcher-history-"
],
"privileges": [
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"monitoring_user": {
"cluster": [],
"indices": [
{
"names": [
".monitoring-
"
],
"privileges": [
"read",
"read_cross_cluster"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"reporting_user": {
"cluster": [],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"kibana_system": {
"cluster": [
"monitor",
"cluster:admin/xpack/monitoring/bulk"
],
"indices": [
{
"names": [
".kibana*",
".reporting-"
],
"privileges": [
"all"
]
},
{
"names": [
".monitoring-
"
],
"privileges": [
"read",
"read_cross_cluster"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"logstash_admin": {
"cluster": [],
"indices": [
{
"names": [
".logstash*"
],
"privileges": [
"create",
"delete",
"index",
"manage",
"read"
]
}
],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"transport_client": {
"cluster": [
"transport_client"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"superuser": {
"cluster": [
"all"
],
"indices": [
{
"names": [
""
],
"privileges": [
"all"
]
}
],
"run_as": [
"
"
],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"ingest_admin": {
"cluster": [
"manage_index_templates",
"manage_pipeline"
],
"indices": [],
"run_as": [],
"metadata": {
"_reserved": true
},
"transient_metadata": {
"enabled": true
}
},
"giaas_dashboard_only_mode": {
"cluster": [],
"indices": [
{
"names": [
"logstash*"
],
"privileges": [
"view_index_metadata",
"read"
],
"field_security": {
"grant": [
"*"
]
}
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}

Please use the </> markdown in order to add long text so that it can be readable :slight_smile:

The only thing I can think of is that you have created the visitor user also in the file realm and you have assigned them the necessary rights via file-based role management

Can you share your elasticsearch.yml file and the output of the

$ES_HOME/bin/x-pack/users list

You'll also want to check the xpackDashboardMode:roles Kibana Advanced Setting to make sure that it lists the kibana_dashboard_only_user.

yes it lists the kibana_dashboard_only_user.

Yes you were right, I had created a 'visitor' user in the file realm as well. I found an entry with the name 'visitor' in /etc/elasticsearch/x-pack/users file. After deleting that entry and restarting kibana and elasticsearch, it is working the way it should have been.
Thanks for all the help, guys. :slightly_smiling_face:

Good to hear that all is resolved

Keep in mind you can use the users CLI tool of X-Pack that offers the same functionality. You could have done:
bin/x-pack/users userdel visitor

Thanks for the information. Would use that in the future.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.