TL;DR
How do I grant access to all indices matching a pattern, but deny access to one specific index that also matches the pattern (e.g., how do I ALLOW access to all logs, including logs-myapp.log-*
, but specifically DENY access to logs-myapp.log-prod
)?
Details
I manage our company's Elastic Cloud instance. I have a new requirement for a specific set of logs that only users with a specific role be allowed to access them.
Assuming that the log index in question is logs-myapp.log-prod
, I presume that the following role will match it:
{
"myapp_prod_user": {
"cluster": [],
"indices": [
{
"names": [
"logs-myapp.log-prod"
],
"privileges": [
"view_index_metadata",
"read"
],
"allow_restricted_indices": false
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
However, the question I have is how do I deny access to all users, except for those who have the myapp_prod_user
role assigned?
Below is my current standard_user
role, which is based on the editor
role included by default in our Elastic Cloud installation. What is the best way to exclude indices matching this pattern?
{
"standard_user": {
"cluster": [],
"indices": [
{
"names": [
"observability-annotations"
],
"privileges": [
"view_index_metadata",
"write",
"read"
],
"field_security": {
"grant": [
"*"
]
},
"allow_restricted_indices": false
},
{
"names": [
"/~(([.]|ilm-history-).*)/"
],
"privileges": [
"view_index_metadata",
"read"
],
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_infrastructure.all",
"feature_maps.all",
"feature_savedObjectsManagement.read",
"feature_observabilityCases.all",
"feature_advancedSettings.read",
"feature_visualize.all",
"feature_apm.all",
"feature_stackAlerts.all",
"feature_indexPatterns.all",
"feature_dev_tools.read",
"feature_canvas.all",
"feature_uptime.all",
"feature_logs.all",
"feature_savedObjectsTagging.read",
"feature_discover.all",
"feature_osquery.read",
"feature_fleet.read",
"feature_actions.all",
"feature_dashboard.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
}
If I update my names
block to list the index separately, does Kibana match the first matching pattern in the list and stop, doing a DENY? Or does go down every element in the list to see if it matches ANY element and use that as an ALLOW?
{
"names": [
"/~logs-myapp.log-prod/",
"/~(([.]|ilm-history-).*)/"
],
"privileges": [
"view_index_metadata",
"read"
],
"allow_restricted_indices": false
}