Explanation of the cluster and indices actions privileges

security

(Kevin Soucy) #1

Is there a document that details what each of the cluster/indices actions privileges will allow/not allow in Kibana and ES ? Its difficult to properly set up roles when its not really clear what the individual privileges mean. Using Shield 2.1.1, ES 2.1.1, Kibana 4.3.1. Thks


(Jay Modi) #2

Hi Kevin,

We do not currently have a document that details what all of the action privileges allow. These map to the names of the actions user elasticsearch, for example the action name here https://github.com/elastic/elasticsearch/blob/2.2/core/src/main/java/org/elasticsearch/action/search/SearchAction.java#L30 maps to the operations performed by a matching transport action https://github.com/elastic/elasticsearch/blob/2.2/core/src/main/java/org/elasticsearch/action/search/TransportSearchAction.java

Do you have a need to secure down to the specific actions or will the read, write, etc group privileges work for your use case? If they are not sufficient, are there specific ones that you have questions about?


(Kevin Soucy) #3

Hi Jay, the "read" and "all" options are currently working for us, but before we open Kibana up to additional clients I was trying to find that sweet spot where we could allow users to create searches, visualizations, dashboards, etc, but perhaps not overwrite (or delete) existing objects. Unfortunately since ES and/or Kibana dont protect objects on a "user who created" basis, then anyone with write/all for an index can mistakenly delete or chg objects someone else created in that index. This is, unless i'm missing something and there is a clear way of doing this?

Thks for your feedback.


(Jay Modi) #4

You are correct, we do not have this capability with Shield and Kibana today and realize that this is something a lot of our users need. We are working on adding capabilities to support this.


(system) #5