Exclude user access using regular expressions in kibana

I would like to exclude only a particular index and have access to rest of all indexes in a cluster.

Right now, I'm adding every index by clicking on it and in roles and it is a hectic task to do just to exclude one index in the permissions.

Is there a way I can do this excluding using regular expressions. If yes, can I give it in kibana roles?

Thanks in advance.

Please guide me to find a solution.

Hi,

Yes there is a possibility. Go through the below documentation for reference.

`ANYSTRING`

Enables the `@` operator. You can use `@` to match any entire string.

You can combine the `@` operator with `&` and `~` operators to create an "everything except" logic. For example:

@&~(abc.+) # matches everything except terms beginning with 'abc'

You can use the below format in Dev Tools to exclude only a particular regex and give access to rest all.

{
  "cluster": ["all"],
  "indices": [
    {
      "names": ["/@&~(abcde.+)/"],
      "privileges": ["all"],
      "allow_restricted_indices" : false
    }
  ]

In names, give the index name in place of "abcde" and only that index is excluded to access.

Do I need to do this in dev tools?

Should I directly give this. Sorry please guide me as I'm new in doing this.

It would be great if you provide me with an example.

This is just an example, you need to alter according to your requirement on what you need to enable in the access.

Below is an example:

POST _security/role/sample_role
{
  "cluster": ["all"],
  "indices": [
    {
      "names": ["/@&~(abcde.+)/"],
      "privileges": ["all"],
      "allow_restricted_indices" : false
    }
  ],
  "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.all",
          "feature_dashboard.all",
          "feature_canvas.all",
          "feature_maps.read",
          "feature_visualize.all",
          "feature_logs.all",
          "feature_infrastructure.all",
          "feature_apm.read",
          "feature_uptime.all",
          "feature_siem.read",
          "feature_dev_tools.all",
          "feature_advancedSettings.read",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.read",
          "feature_fleet.all"
        ],
        "resources" : [
          "space:default"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
}
1 Like

Thanks a lot. Let me try.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.