Thanks for your suggestion.
To restrict the user to a dashboard, you can assign kibana_dashboard_only_user
to the user plus a custom role with read privileges for a specific index. Once the user logs in, they have access only to the dashboard section in the left hand menu in Kibana. However, they can still see all the dashboard names in the dashboard section, but they can view the content of the dashboard if the visualizations are from the index that was originally assigned to this user. I was just wondering if there is a way to only show the dashboard that the user has access to, and not the other dashboard names that the user cannot view. I guess I'll just open another question on this.
Could you please confirm if I am doing this right?
Creating the alias:
POST /_aliases
{
"actions":[
{
"add" : {
"index": "cloudwatch",
"alias": "alias1",
"filter": { "term": {"message" : "error"}}
}
}
]
}
Create the role:
PUT /_security/role/test
{
"cluster" : [],
"indices" : [
{
"names": "cloudwatch*",
"privileges": ["all"],
"field_security" : {
"grant" : [ "*"]
},
"query": {
"term": {
"message" : {
"value": "error"
}
}
}
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"all"
],
"resources" : [
"*"
]
}
],
"run_as" : [ ]
}
Output:
[Edit]
I logged in with the user kz, if I restrict the field to message, I can then see the value as error. However, restricting the value to a json array doesn't work.
The following elasticsearch query should restrict the field, cloudwatch_logs.log_group to the value
"/aws/lambda/b2_record_processor", but it doesn't do the job.
PUT /_security/role/test
{
"cluster" : [],
"indices" : [
{
"names": "cloudwatch*",
"privileges": ["all"],
"field_security" : {
"grant" : [ "*"]
},
"query": {
"term": {
"cloudwatch_logs.log_group" : {
"value": "/aws/lambda/b2_record_processor"
}
}
}
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"all"
],
"resources" : [
"*"
]
}
],
"run_as" : [ ]
}
Output:
Ignore the 'Expand your time range', the output should work, but it doesn't! Any idea why? It must be the elasticsearch query, not sure if that is the right way to handle json array.