Exclude indices from role?

Is it possible to exclude indices from roles?

For example, say I have the following indices:

  • logstash-access-iis-[date]
  • logstash-access-tomcat-[date]
  • logstash-application-log4net-[date]
  • logstash-application-log4j-[date]

The average user gets read access to all indices via the following role:

kibana_user:
  cluster:
      - monitor
  indices:
    - names: 'logstash-*'
      privileges:
        - view_index_metadata
        - read

But now I'm adding a new index that I want to limit user access via a separate role to called:

  • logstash-application-rabbitmq-[date]

Is there any way I can exclude this index pattern from the kibana_user role? Or do I need to change that role to:

kibana_user:
  cluster:
      - monitor
  indices:
    - names: 'logstash-access-*'
      privileges:
        - view_index_metadata
        - read
    - names: 'logstash-application-log4net-*'
      privileges:
        - view_index_metadata
        - read
    - names: 'logstash-application-log4j-*'
      privileges:
        - view_index_metadata
        - read

As a user can have multiple roles, why not just manage this index through a separate role that you only assign to the users allowed to access it?

Sorry, I should have clarified; the plan is to provision access to the new index via a new role:

rabbitmq_user:
  cluster:
      - monitor
  indices:
    - names: 'logstash-application-rabbitmq-*'
      privileges:
        - view_index_metadata
        - read

But since my current role specifies - names: 'logstash-*' I believe I would have to change it to what I specified above. Just wanted to make sure there wasn't some option like this available:

kibana_user:
  cluster:
      - monitor
  indices:
    - names: 'logstash-*'
      privileges:
        - view_index_metadata
        - read
    - excludes: 'logstash-application-rabbitmq-*'

You will need to change your kibana_user role to be more specific with respect to index names.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.