Hi @rivermigue Welcome to the community!
What I would suggest...
Is to create a role via the GUI and do a GET to get a model of the Role
my dashboard-read-only
role in Kibana -Stack Management - Role
And then do a GET on the role to get the settings and then translate into .yml
GET _security/role/dashboard-read-only
{
"dashboard-read-only" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"filebeat-*",
"metrics-*",
"metricbeat-*",
"pcf-component-log-*",
"pcf-bosh-log-*",
"heartbeat-*",
"apm-*"
],
"privileges" : [
"read"
],
"field_security" : {
"grant" : [
"*"
],
"except" : [ ]
},
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.read",
"feature_dashboard.read",
"feature_canvas.read",
"feature_maps.read",
"feature_ml.read",
"feature_graph.read",
"feature_visualize.read"
],
"resources" : [
"space:dashboard-readonly"
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
And a little more on Kibana Privileges
BUT I think this is the trick for the filebased roles it needs to be based on the underlying elasticsearch role... the Kibana Role is a higher level abstraction....
Example
Through the Kibana API
PUT kbn:api/security/role/my_kibana_role
{
"metadata" : {
"version" : 1
},
"elasticsearch": {
"cluster" : [ ],
"indices" : [ ]
},
"kibana": [
{
"base": [],
"feature": {
"discover": [
"all"
],
"visualize": [
"all"
],
"dashboard": [
"all"
],
"dev_tools": [
"read"
],
"advancedSettings": [
"read"
],
"indexPatterns": [
"read"
],
"graph": [
"all"
],
"apm": [
"read"
],
"maps": [
"read"
],
"canvas": [
"read"
],
"infrastructure": [
"all"
],
"logs": [
"all"
],
"uptime": [
"all"
]
},
"spaces": [
"*"
]
}
]
}
When you get this role back through the Kibana API it looks the same but when you get it from the underlying Elasticsearch API it looks like this
GET _security/role/my_kibana_role
{
"my_kibana_role": {
"cluster": [],
"indices": [],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_discover.all",
"feature_visualize.all",
"feature_dashboard.all",
"feature_dev_tools.read",
"feature_advancedSettings.read",
"feature_indexPatterns.read",
"feature_graph.all",
"feature_apm.read",
"feature_maps.read",
"feature_canvas.read",
"feature_infrastructure.all",
"feature_logs.all",
"feature_uptime.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {
"version": 1
},
"transient_metadata": {
"enabled": true
}
}
}
Which is what I think maps to the role file...