Any way to show different kibana view to different users?


(Vikas Gopal) #1

Hi Experts,

Is there any way to show two different view of kibana to two separate users. So something like if I prepare 2 dashboards one is for management view/dashboard and other is for operations team. Now I want to restrict both the users to their own dashboard in kiban.

I was checking X-pack , though it says we can provide role based authentication but it is not fulfilling our requirement . Even with X-pack all the users lands to the same Kibana Instance and all can see all the dashboard names , it is just when they try to open data will not appear if they are not authorized.This is something we do not want . Point is why to show names of operations team dashboards to management.

I am hoping someone must have achieved the same in production , any suggestion on this will be highly appreciated.

Regards
VG


Limiting access to visualizations
(Tim Sullivan) #2

Hi,

The current solution to achieve this would be to set up multiple instances of Kibana, each configured to use a different .kibana index. One instance would have the dashboards set up for the Management users, and another instance would be set up for the Operations users.

With X-Pack security, you can create different roles, each with an index privilege to be able to access the particular .kibana index that has the saved objects it needs to use. Then you can grant those roles to the user instead of the built-in kibana_user role.


(Vikas Gopal) #3

@tsullivan,

Thank you for the prompt response . I have another concern on second solution . Please correct me if I am wrong . Let's say I have created 2 roles and they have access to two different kibana indexes (kibana_management, kibana_user) , what I believe is even with this approach both the users can see total dashboard list , however they will not be able to see the data in the dashboard .


(Tim Sullivan) #4

With role-based security, you specify in the role configuration which indices a role can access. So if you have RoleA which can access .kibana-a; and RoleB that can access .kibana-b; RoleA can not access .kibana-b and RoleB can not access .kibana-a. Create an instance of Kibana configured to use .kibana-a as its index and create a role that has access to manage, read, index and delete privilege to .kibana-a (as well as cluster monitor privilege) - those are all the privileges that the built-in kibana_user role has. Then create some users with RoleA role, and give those users the URL to the KibanaA instance. Those users will not be able to see any of the data contained in the .kibana-b index. So the idea is just to make 2 duplicates of the built-in kibana_user role but customize the index they can access.

The .kibana indices manage the index patterns, saved searches, visualizations, dashboards and advanced settings for Kibana. The data in the dashboards comes from other indices such as Logstash or Beats, and the logged-in users will need privilege to access that as well. The data will be protected by default and you can grant access to the data using different kinds of roles. Users can have as many roles added as you like.

Of course, you could do all this without security - just create 2 different instances of Kibana that use different .kibana indices. The data will be accessible if users know how to find it, but users will only see dashboards in the listing and other saved objects that are configured for their own instance. That was the first part of my initial answer. I added the second part of my answer, which really just extends the first part, because you expressed interest in knowing what you can do with X-Pack security.

Hope that clears it up,
-Tim


(Vikas Gopal) #5

yup !! things are clear now.Thank you so much for your time .


(Vikas Gopal) #6

@tsullivan,

Can I merge both these approaches. I mean can I provide 2 separate URL's with security to 2 different users.I implemented the security approach with X-pack but the user can see the list of all visualizations because all visualizations are stored in .kibana_management index , though user is only allowed to see data in kibana_management and management index only .

So idea is to provide role based access to the objects with security ?

Regards
Vikas


(Tim Sullivan) #7

Can I merge both these approaches. I mean can I provide 2 separate URL's with security to 2 different users

Yes, the idea is to have 2 different Kibana URLs where each Kibana instance has a different config index

So idea is to provide role based access to the objects with security ?

The idea is to have role based access to the different config indices


(Vikas Gopal) #8

@tsullivan
Just another confusion , so if I use 2 different kibana instances with Xpack I need to use same Xpack settings and configuration in both the instances ? as i will be having same LDAP users for both the instances , also what about Xpack license is it common for both kibana instances or it will be different for each instance ?


(Tim Sullivan) #9

if I use 2 different kibana instances with Xpack I need to use same Xpack settings and configuration in both the instances ? as i will be having same LDAP users for both the instances

I don't think you need to have the same Kibana X-Pack configuration on every Kibana instance. You should at least have the Security plugin enabled on every instance though.

also what about Xpack license is it common for both kibana instances or it will be different for each instance

X-Pack license is only installed in Elasticsearch. Kibana determines it's features by reading the license information from an Elasticsearch API.


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.