Customizing Stack Management Page in Kibana

I would like to customize the stack management page as we only require access to the reporting link. I want to remove the other links since 99% of the user accessing this page will not have access to it.

I would like to remove the options (shown in the RED rectangle) in depicted the following image:

I would like to be left with the following (removing Machine Learning Jobs and Watcher would be a plus):

I think I found the source file (/usr/share/kibana/src/plugins/management/public/management_sections_service.js) to remove the unwanted register sections as follows:

Before Snippet:

// Note on adding sections - sections can be defined in a plugin and exported as a contract
// It is not necessary to define all sections here, although we've chose to do it for discovery reasons.
this.definedSections = {
  ingest: this.registerSection(IngestSection),
  data: this.registerSection(DataSection),
  insightsAndAlerting: this.registerSection(InsightsAndAlertingSection),
  security: this.registerSection(SecuritySection),
  kibana: this.registerSection(KibanaSection),
  stack: this.registerSection(StackSection)
};

After Snippet:

// Note on adding sections - sections can be defined in a plugin and exported as a contract
// It is not necessary to define all sections here, although we've chose to do it for discovery reasons.
this.definedSections = {
  insightsAndAlerting: this.registerSection(InsightsAndAlertingSection)
};

But when I restart Kibana (after installing or uninstalling a plugin), nothing has changed on the Stack Management page.

Note: In past Kibana versions, one needed to to install or uninstall a plugin, to effect updates on the pages.

Thanks in advance for any insight on can shed on my issue.

Mike

Based on your screengrab, it looks like you are running 7.9.3... Starting in 7.10, Kibana will decide what to display in the management menu based on a user's cluster & index privileges. You can find more details in the PR or the original issue.

So the most reliable path forward would be upgrading to 7.10. If that's not feasible for you right now and you must modify the source, then I would expect the snippets you show above to work.

Since I'm assuming you aren't running Kibana in dev mode, have you rebuilt the plugins after making changes? Plugins all get built into a target directory which lives at the top level of each plugin, and that's what's actually served when you run Kibana in production.

You can rebuild the plugins by running the build_kibana_platform_plugins script:

  > node scripts/build_kibana_platform_plugins.js

  Runs a dev task

  Options:
    --watch            run the optimizer in watch mode
    --workers          max number of workers to use
    --oss              only build oss plugins
    --profile          profile the webpack builds and write stats.json files to build outputs
    --no-core          disable generating the core bundle
    --no-cache         disable the cache
    --focus            just like --filter, except dependencies are automatically included, --filter applies to result
    --filter           comma-separated list of bundle id filters, results from multiple flags are merged, * and ! are supported
    --no-examples      don't build the example plugins
    --dist             create bundles that are suitable for inclusion in the Kibana distributable, enabled when running with --update-limits
    --scan-dir         add a directory to the list of directories scanned for plugins (specify as many times as necessary)
    --no-inspect-workers  when inspecting the parent process, don't inspect the workers
    --report-stats     attempt to report stats about this execution of the build to the kibana-ci-stats service using this name
    --validate-limits  validate the limits.yml config to ensure that there are limits defined for every bundle
    --update-limits    run a build and rewrite the limits file to include the current bundle sizes +5kb
    --verbose, -v      Log verbosely
    --debug            Log debug messages (less than verbose)
    --quiet            Only log errors
    --silent           Don't log anything
    --help             Show this message

Hello Luke,

I was running in Dev mode using the latest pull from GitHub.
The version it said it was V8.0.0.

Mike

If you are running 8.0 from the latest master branch, then you shouldn't need to edit the source code at all -- you'd just need to create roles that only have permissions to the sections you want users to see and assign them to users. Then Kibana filters out the sections users lack permissions for.

More is explained in the PR description: https://github.com/elastic/kibana/pull/67791

In your case, if you only want to show the Reporting section, you'd just need to:

  1. create a role with the relevant Kibana permissions (e.g. access to Discover and Dashboard for a particular space)
  2. create a user and assign that role to it
  3. also assign the built-in reporting_user role to that user

Then when the user logs in, they'll only see the Reporting link under the stack management section.

I just tested this on the latest master branch, and created a kbn role for testing purposes, which has read access to Discover/Dashboards in all spaces:

Then I assigned this role to a new reporting user, and also assigned the reporting_user role:

And this is how the stack management section looks when logged in as that user:

Hi,

I was hoping this would work in the version I'm working in (7.9.3), but I guess it will only work in version 8.0 and higher?

Thanks for point this out.

Mike

The PR I linked to was released in 7.10.0, so it should work in any version 7.10 or higher.

Before 7.10, there isn't an officially supported way to do this -- it would require manually modifying the source code as you mentioned above.

Hello,

I got the ok to upgrade to 7.10.1 and followed your steps in the previous message.

Created a new role:

Created a user with this role and reporting_user role only.

Unfortunately, my the stack management page is a bit different from yours where I have the additional Ingest header and Beats Central Management link:

Also, I was wondering in the navigation panel, could the Overview link be removed?

For for all your and your coworkers help!

Mike

Hey @Amphagory -- The Beats Central Management link should only be displaying if the beats_admin role is assigned to the user. You may want to double check to confirm that the user doesn't have that role.

As for the Overview link, unfortunately there isn't really a way to disable that at the moment. As it's the entry-point for each of the nav sections (Kibana, Observability, Security), it is always shown if you have access to at least one item in that section. However in the case of the Kibana overview page at least, the overview should only link out to apps the user has access to.

It feels like it could be a useful enhancement though, so feel free to open a feature request in Github if you'd like to see it added!

Hello,

Here is an image (I blacked out sensitive customer information) of the user. There is only TWO roles that are assigned.

After, I've added and remove the beats_admin role sensing something funky happening, the Beats Central Management link disappeared.

As for the Overview link, when I click it, the following page appears:

The only concern I have is that the user should not have access to add data. Either the sample data or our own, should these link be shown in this page? Could they be removed in some fashion?

I'll open an issue in Github as requested to remove the Overview link.

Thanks for your help again!

Mike

Ah interesting, glad that worked!

The only concern I have is that the user should not have access to add data. Either the sample data or our own, should these link be shown in this page? Could they be removed in some fashion?

Right now the "add data" link isn't removed because I don't believe it is specifically tracked with our feature privileges system, which is mostly focused around application-level access. But that's definitely an area for improvement and worth mentioning in your feature request!

I was thinking and I really want to idiot proof the UI for the users.

I was wondering if it is just possible to hack it out? What I mean is to find the file and remove the link and then I would need to rebuild Kibana.

Thoughts?

Mike