File based roles for Kibana access

Hello,

I am trying to grant access to users by using the File Based security realm (Using puppet to distribute the files) the reason is because I dont want users to be able to change the passwords, however I have not been able to find documentation on how to grant access to kibana features, is there any related documentation I can look at or is this not supported at all for kibana?

Here is a basic role file I have compiled:
roles.yaml

admin:
  cluster:
  - all
  indices:
  - names:
    - "*"
    privileges:
    - all
  kibana:
  - base:
    - all
    features:
    - all
    spaces:
    - "*"

Thank you!

Hi @rivermigue Welcome to the community!

What I would suggest...

Is to create a role via the GUI and do a GET to get a model of the Role

my dashboard-read-only role in Kibana -Stack Management - Role

And then do a GET on the role to get the settings and then translate into .yml

GET _security/role/dashboard-read-only

{
  "dashboard-read-only" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "filebeat-*",
          "metrics-*",
          "metricbeat-*",
          "pcf-component-log-*",
          "pcf-bosh-log-*",
          "heartbeat-*",
          "apm-*"
        ],
        "privileges" : [
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.read",
          "feature_dashboard.read",
          "feature_canvas.read",
          "feature_maps.read",
          "feature_ml.read",
          "feature_graph.read",
          "feature_visualize.read"
        ],
        "resources" : [
          "space:dashboard-readonly"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

And a little more on Kibana Privileges

BUT I think this is the trick for the filebased roles it needs to be based on the underlying elasticsearch role... the Kibana Role is a higher level abstraction....

Example

Through the Kibana API

PUT kbn:api/security/role/my_kibana_role
{
  "metadata" : {
    "version" : 1
  },
  "elasticsearch": {
    "cluster" : [ ],
    "indices" : [ ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
       "discover": [
          "all"
        ],
        "visualize": [
          "all"
        ],
        "dashboard": [
          "all"
        ],
        "dev_tools": [
          "read"
        ],
        "advancedSettings": [
          "read"
        ],
        "indexPatterns": [
          "read"
        ],
        "graph": [
          "all"
        ],
        "apm": [
          "read"
        ],
        "maps": [
          "read"
        ],
        "canvas": [
          "read"
        ],
        "infrastructure": [
          "all"
        ],
        "logs": [
          "all"
        ],
        "uptime": [
          "all"
        ]
      },
      "spaces": [
        "*"
      ]
    }
  ]
}

When you get this role back through the Kibana API it looks the same but when you get it from the underlying Elasticsearch API it looks like this

GET _security/role/my_kibana_role
{
  "my_kibana_role": {
    "cluster": [],
    "indices": [],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_discover.all",
          "feature_visualize.all",
          "feature_dashboard.all",
          "feature_dev_tools.read",
          "feature_advancedSettings.read",
          "feature_indexPatterns.read",
          "feature_graph.all",
          "feature_apm.read",
          "feature_maps.read",
          "feature_canvas.read",
          "feature_infrastructure.all",
          "feature_logs.all",
          "feature_uptime.all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {
      "version": 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

Which is what I think maps to the role file...

Just FYI: File realm users are not limited to use just roles defined in files. You can assigned roles defined using Kibana to file realm users.

Thank you both for your input! Those two answers helped me to map the roles accordingly and create new ones.

doing a GET to an existing roles is all I needed to map the json response into yaml.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.