TL;DR

How do I grant access to all indices matching a pattern, but deny access to one specific index that also matches the pattern (e.g., how do I ALLOW access to all logs, including logs-myapp.log-*, but specifically DENY access to logs-myapp.log-prod)?

Details

I manage our company's Elastic Cloud instance. I have a new requirement for a specific set of logs that only users with a specific role be allowed to access them.

Assuming that the log index in question is logs-myapp.log-prod, I presume that the following role will match it:

{
  "myapp_prod_user": {
    "cluster": [],
    "indices": [
      {
        "names": [
          "logs-myapp.log-prod"
        ],
        "privileges": [
          "view_index_metadata",
          "read"
        ],
        "allow_restricted_indices": false
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

However, the question I have is how do I deny access to all users, except for those who have the myapp_prod_user role assigned?

Below is my current standard_user role, which is based on the editor role included by default in our Elastic Cloud installation. What is the best way to exclude indices matching this pattern?

{
  "standard_user": {
    "cluster": [],
    "indices": [
      {
        "names": [
          "observability-annotations"
        ],
        "privileges": [
          "view_index_metadata",
          "write",
          "read"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        },
        "allow_restricted_indices": false
      },
      {
        "names": [
          "/~(([.]|ilm-history-).*)/"
        ],
        "privileges": [
          "view_index_metadata",
          "read"
        ],
        "allow_restricted_indices": false
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_infrastructure.all",
          "feature_maps.all",
          "feature_savedObjectsManagement.read",
          "feature_observabilityCases.all",
          "feature_advancedSettings.read",
          "feature_visualize.all",
          "feature_apm.all",
          "feature_stackAlerts.all",
          "feature_indexPatterns.all",
          "feature_dev_tools.read",
          "feature_canvas.all",
          "feature_uptime.all",
          "feature_logs.all",
          "feature_savedObjectsTagging.read",
          "feature_discover.all",
          "feature_osquery.read",
          "feature_fleet.read",
          "feature_actions.all",
          "feature_dashboard.all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

If I update my names block to list the index separately, does Kibana match the first matching pattern in the list and stop, doing a DENY? Or does go down every element in the list to see if it matches ANY element and use that as an ALLOW?

{
  "names": [
    "/~logs-myapp.log-prod/",
    "/~(([.]|ilm-history-).*)/"
  ],
  "privileges": [
    "view_index_metadata",
    "read"
  ],
  "allow_restricted_indices": false
}

This might be the wrong forum for this (should probably be moved to Elasticsearch), but I believe the following should get you what you desire:

        "names": [
          "/~(([.]|ilm-history-|logs-myapp.log-prod).*)/"
        ],

Ack. I've asked so many questions in Kibana lately that I didn't even think about where I should be putting it. Thanks for the pointer! Any way to move it over to the correct category?

        "names": [
          "/~(([.]|ilm-history-|logs-myapp.log-prod).*)/"
        ],

In other words, it's all got to be part of one match pattern for a DENY, multiple patterns don't get merged? But if I'm doing an ALLOW, then any one of multiple index patterns will allow it?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.