Assigning a certain field value to the user using elasticsearch queries

Elastic Stack Elasticsearch
1

Given an index, and its field. Is it possible to restrict a user to a specific value in a field using Elasticsearch queries in the Kiabana dev tools?

For example,

I have the following field called cloudwatch_logs.log_group. Also, there are these values that correspond to this field.

/aws/lambda/b2_c_api
/aws/lambda/b2_s3_writer
/aws/lambda/b2_record_processor
/aws/lambda/b2_raw_processor
/aws/lambda/fast_access_processor

I want to restrict the user to view only the Kibana dashboards that are associated with cloudwatch_logs.log_group: /aws/lambda/b2_c_api . Is that possible?

[Edit]:

Available fields in the index

  • Popular

  • @timestampadd

  • t cloudwatch_logs.log_groupadd

  • t messageadd

  • t @versionadd

  • t _idadd

  • t _indexadd

  • # _scoreadd

  • t _typeadd

  • t cloudwatch_logs.event_idadd

  • cloudwatch_logs.ingestion_timeadd

  • t cloudwatch_logs.log_streamadd

2

You can't restrict access based on the value of a field; only the field as a whole.

To restrict access to documents with a certain field value, try creating an alias with a filter, then give certain users access to that alias instead of the whole index.

I don't know how you'd restrict the user to certain dashboards, though.

Hope this helps.

1 Like
3

Thanks for your suggestion.

To restrict the user to a dashboard, you can assign kibana_dashboard_only_user to the user plus a custom role with read privileges for a specific index. Once the user logs in, they have access only to the dashboard section in the left hand menu in Kibana. However, they can still see all the dashboard names in the dashboard section, but they can view the content of the dashboard if the visualizations are from the index that was originally assigned to this user. I was just wondering if there is a way to only show the dashboard that the user has access to, and not the other dashboard names that the user cannot view. I guess I'll just open another question on this.

Could you please confirm if I am doing this right?

Creating the alias:

POST /_aliases
{
  "actions":[
    {
      "add" : {
        "index": "cloudwatch",
        "alias": "alias1",
        "filter": { "term": {"message" : "error"}}
      }
    }
  ]
}

Create the role:

PUT /_security/role/test
{ 
  "cluster" : [],
  "indices" : [
    {
      "names": "cloudwatch*",
      "privileges": ["all"],
      "field_security" : {
        "grant" : [ "*"]
      },
      "query": {
        "term": {
          "message" : {
            "value": "error"
          }
        }
      }
    }
  ],
  "applications" : [
    {
      "application" : "kibana-.kibana",
      "privileges" : [
        "all"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [ ]  
}

Output:

image
image1794×609 110 KB

[Edit]

I logged in with the user kz, if I restrict the field to message, I can then see the value as error. However, restricting the value to a json array doesn't work.

The following elasticsearch query should restrict the field, cloudwatch_logs.log_group to the value
"/aws/lambda/b2_record_processor", but it doesn't do the job.

PUT /_security/role/test
{ 
  "cluster" : [],
  "indices" : [
    {
      "names": "cloudwatch*",
      "privileges": ["all"],
      "field_security" : {
        "grant" : [ "*"]
      },
      "query": {
        "term": {
          "cloudwatch_logs.log_group" : {
            "value": "/aws/lambda/b2_record_processor"
          }
        }
      }
    }
  ],
  "applications" : [
    {
      "application" : "kibana-.kibana",
      "privileges" : [
        "all"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [ ]  
}

Output:

image
image1794×743 55.6 KB

Ignore the 'Expand your time range', the output should work, but it doesn't! Any idea why? It must be the elasticsearch query, not sure if that is the right way to handle json array.

4

You don’t need alias filter for this just document security. I don’t currently see why tou can’t make it work with just that as your use case is a 1 to 1 match with document security, I even remember the doc gives an example which is exactly your usecase: filter on value of a field.

If you have a platinum license why aren’t you opening a support ticket with your engineer instead of relying on the forums? They would tell you the best practice for filtering on multiple values for the same role I guess.
It would be either by adjusting the query or giving multiple roles to the user maybe?

Plus you say it doesn’t work but it should work if configured correctly, thats why that feature exists :wink:

5

@martinr_ubi, I made it work after few hours of trying.

Could you please explain when an alias filter would be useful? I am trying to understand when to use it.

Solution:

PUT /_security/role/test
{ 
  "cluster" : [],
  "indices" : [
    {
      "names": "cloudwatch*",
      "privileges": ["read"],
      "field_security" : {
        "grant" : ["*"]
      },
      "query":{
        "bool":{
          "must":[
            {
              "match_phrase":{
                "cloudwatch_logs.log_group": "/aws/lambda/s_data_worker"
              }
            },
            {
             "match":{
                "message": "error"
              }
            }
          ]
        }
      }
    }
  ],
  "applications" : [
    {
      "application" : "kibana-.kibana",
      "privileges" : [
        "read"
      ],
      "resources" : [
        "*"
      ]
    }
  ],
  "run_as" : [ ]  
}
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.