Document level security in Kibana with X Pack

annette · June 7, 2017, 10:51am

i am trying to set up roles for users to log in but only see documents that is related to them.

This is the role that i created:

  {
      "events_admin": {
        "cluster": [],
        "indices": [
          {
            "names": [
              "events*",
              ".kibana*"
            ],
            "privileges": [
              "all"
            ],
            "query": """{"term":{"Consultant.keyword":"Terri"}}"""
          }
        ],
        "run_as": [],
        "metadata": {},
        "transient_metadata": {
          "enabled": true
        }
      }
    }

When i log in as this user i get the following error:
Config: Error 400 Bad Request: [security_exception] Can't execute an update request if field or document level security is enabled
I followed a example on Setting Up Field and Document Level Security | X-Pack for the Elastic Stack [6.2] | Elastic to create this roll:

For example, the following role grants read access to all indices, but restricts access to documents whose department_id equals 12.

   {
  "indices" : [
    {
      "names" : [ "*" ],
      "privileges" : [ "read" ],
      "query" : {
        "term" : { "department_id" : 12 }
      }
    }
  ]
}

But then i found the following:

Limitations | X-Pack for the Elastic Stack [5.1] | Elastic

Any query that makes remote calls to fetch data to query by isn’t supported. The following queries aren’t supported:

The terms query with terms lookup isn’t supported.
The geo_shape query with indexed shapes isn’t supported.
The percolate query isn’t supported.

Okay so can someone please give me the correct answer...
In Kibana with X Pack - Can i set up a role where the user will only be able to see the documents where the "Consultant" field is there name?

If so, please help... what am i doing wrong?

jetnet · June 7, 2017, 7:32pm

try to remove ".kibana*" from the indices list in the role definition.

annette · June 8, 2017, 5:57am

Removed ".kibana*" and now getting this error:

Config: Error 403 Forbidden: [security_exception] action [indices:data/write/update] is unauthorized for user [user2]

jetnet · June 8, 2017, 10:37am

try to give the user user2 the kibana_user role

annette · June 8, 2017, 1:18pm

With the kibana_user role i can not add the query as to what documents are allowed.

I can assign a roll to a user and they are able to see all documents but I need to limit what documents they are allowed to see.

jetnet · June 9, 2017, 6:19am

user2 should have both roles: kibana_user and your custom events_admin (see: User management API), something like that:

PUT /_xpack/security/user/user2
{
    "roles": [
      "kibana_user",
      "events_admin"
    ]
}

annette · June 9, 2017, 12:26pm

Thanks - Tested it and it works. Great stuff.

system · July 7, 2017, 12:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication role issues Elasticsearch	5	1396	August 22, 2017
Allow user only certain documents from certain indices Elasticsearch	2	5184	January 10, 2018
Role Granted Documents Query example Kibana elastic-stack-security	3	3371	February 8, 2021
Document level security query causing error/no data Elasticsearch	10	2415	February 9, 2018
X-pack document level filtering not operating as expected Elasticsearch	16	643	July 25, 2018

Document level security in Kibana with X Pack

Related topics