API Key for Kibana Reporting

I need to generate an API key which will allow a user to generate a report in Kibana and then download it, once it's generated. What permissions do I need to set? I haven't been able to determine this from the docs.

Thx.

Yeah Kinda a tricky... see if you can follow...

Run all these from Kibana - Dev Tools

So from here

The Role via the KIbana Role API is
(there is a typo no _ so that could trip you up_

PUT kbn:/api/security/role/custom_reporting_user
{
  "elasticsearch": {
    "cluster": [],
    "indices": [],
    "run_as": []
  },
  "kibana": [
    {
      "spaces": [
        "*"
      ],
      "base": [],
      "feature": {
        "dashboard": [
          "generate_report",
          "download_csv_report"
        ],
        "discover": [
          "generate_report"
        ],
        "canvas": [
          "generate_report"
        ],
        "visualize": [
          "generate_report"
        ]
      }
    }
  ]
}

BUT That is the Abstraction of the Role via Kibana API
You need to see what the role really is from the Elastic Level

GET _security/role/custom_reporting_user

{
  "custom_reporting_user": {
    "cluster": [],
    "indices": [],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_dashboard.generate_report",
          "feature_dashboard.download_csv_report",
          "feature_discover.generate_report",
          "feature_canvas.generate_report",
          "feature_visualize.generate_report"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}

That is the role as you would define it when you create the API key that above would be one of the role_descriptors

You may want to add index privileges etc...

This is my understanding.

Hopefully, that helps you gets started...

1 Like

Thanks. I'll take a look at it today.

But just to clarify - I wouldn't necessarily have to create this role through the Kibana api (kbn:/api/...), I can just create the custom_reporting_user role via the Elasticsearch API and maintain it that way, correct? Seems easier to do it that way.

Thx agn.

Absolutely sure as long as you know exactly what the permissions are

For many of the Kibana-based Based Toles / Permissions ... the examples are in the Kibana API... but not shown for "raw" elastic API and if you do not create the roles correctly in the API Key will not work

1 Like

Thanks. It gets a little confusing having the capability to manage roles for Kibana features both through the Kibana security API and the Elasticsearch API. I tend to go with Elasticsearch since I use the terraform provider to manage my cluster.

1 Like

Right, use the Elasticsearch API whenever you can ... my only point is that some of the examples are only shown through the Kibana API and / OR When you use Kibana UI to setup up Roles etc if you show "Show API Request" they will be in the Kibana Style ... I use this to get to the correct Elastcsearch API request... (POST as Kibana API / GET as Elasticsearch API) sometimes when I try to go straight the low level I will leave things out.

In the end, there are only really Elasticsearch roles, permissions etc the Kibana API is an abstraction on top

1 Like

Thx for the clarification.

We've tested these permissions as an API key, and when I attempt to retrieve the report I get the following failure message:

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "Reporting generation failed: ReportingError(code: unknown_error) \"Max attempts (3) reached for job lohm8ko8000kd07c27c524ul. Failed with: Unable to bulk_get index-pattern\""
}

When I create a key using my standard user permissions, it works as expected.

Based on the error, it appears that I need to have index permissions assigned, so my additional question is this: Assuming that my data stream is logs-myapp.log-* and I ONLY want the API key to be able to create and download a report against that data stream, what are the minimum necessary index permissions I need to add to my key?

Thx.

Thanks for explaining the documentation to me, it definitely pointed me in the right direction.

However, in my case, I had some additional requirements that weren't met by the documentation:

  • Use an API key for authentication.
  • Restrict the report to only the data for a specific application (datastream). E.g., logs-myapp.log-*.

The role in the documentation appears to be intended to grant additional permissions to a user with the standard user role. As a result, when only those permissions are used, the following error is generated, when retrieved through the API:

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "Reporting generation failed: ReportingError(code: unknown_error) \"Max attempts (3) reached for job <job_id>. Failed with: Unable to bulk_get index-pattern\""
}

In order to generate reports with an API key against logs-myapp.log-*, additional permissions were needed (see below). After experimentation, it appears that these are the minimum necessary permissions for an API key to work for this purpose:

POST /_security/api_key
{
  "name": "myapp_log_reporting",
  "expiration": "365d",
  "role_descriptors": {
    "myapp_log_reporting": {
      "cluster": [],
      "indices": [
        {
          "names": [
            "/logs-myapp[.]log-.*/"
          ],
          "privileges": [
            "view_index_metadata",
            "read"
          ],
          "allow_restricted_indices": false
        }
      ],
      "applications": [
        {
          "application": "kibana-.kibana",
          "privileges": [
            "feature_visualize.minimal_all",
            "feature_visualize.generate_report",
            "feature_canvas.minimal_all",
            "feature_canvas.generate_report",
            "feature_discover.minimal_all",
            "feature_discover.store_search_session",
            "feature_discover.generate_report",
            "feature_dashboard.minimal_all",
            "feature_dashboard.store_search_session",
            "feature_dashboard.generate_report",
            "feature_dashboard.download_csv_report"
          ],
          "resources": [
            "*"
          ]
        }
      ],
      "run_as": [],
      "metadata": {},
      "transient_metadata": {
        "enabled": true
      }
    }
  }
}

I haven't tested it, but I assume that if you wanted the key to be able to generate reports against any data stream with the same key, you would need to include index permissions for logs-*.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.