App Search Roles

Hi Team,

Is it possible to create custom App Search roles? We're looking to give a user Read-Only access to all the elements that a Developer can see (Crawlers, Curations etc) - but not give them write access.

Thanks,

So looked into using a Pipeline with a custom role to solve this particular problem - without any luck.

The pipeline works when using the simulator, but when attempting to do it via the App Search GUI, it appears the pipeline just doesn't set the set_security_user correctly.

The pipeline definitely runs because if there is no condition on the fail process - the pipeline works as expected and blocks out any changes - however it needs to be conditional based on the user executing the change.

Is there a way to log the ctx object anywhere when it's run through the AppSearch pipeline?

[
  {
    "set_security_user": {
      "field": "_security",
      "properties": [
        "roles"
      ]
    }
  },
  {
    "fail": {
      "message": "Cannot Run",
      "if": "ctx._security.roles.contains(\"developer-tester\")"
    }
  },
  {
    "remove": {
      "field": "_security"
    }
  }
]

Failure proceedure:

[
  {
    "remove": {
      "field": "_security"
    }
  },
  {
    "script": {
      "source": "ctx.op = \"noop\";"
    }
  }
]

I wrote the CTX back to the Document and I'm getting this regardless of the user that's logged into Kibana via the GUI.

Is there anyway to get the authenticated user from the Set Security User process instead of just the Kibana System information?

          "roles": [
            "kibana_system",
            "cloud-internal-enterprise_search-server"
          ],
          "realm": {
            "name": "found",
            "type": "file"
          },
          "authentication_type": "REALM",
          "username": "cloud-internal-enterprise_search-server"
        }

Raised an Issue:

This seems like a bug to me.

Kibana should be passing through the actual user making the change on the Enterprise Search engines - not the Kibana_system user.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.