File based roles for Kibana access

Elastic Stack Kibana
2

Hi @rivermigue Welcome to the community!

What I would suggest...

Is to create a role via the GUI and do a GET to get a model of the Role

my dashboard-read-only role in Kibana -Stack Management - Role

Screen Shot 2022-08-26 at 7.57.16 PM
Screen Shot 2022-08-26 at 7.57.16 PM1920×1001 79.3 KB

And then do a GET on the role to get the settings and then translate into .yml

GET _security/role/dashboard-read-only

{
  "dashboard-read-only" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "filebeat-*",
          "metrics-*",
          "metricbeat-*",
          "pcf-component-log-*",
          "pcf-bosh-log-*",
          "heartbeat-*",
          "apm-*"
        ],
        "privileges" : [
          "read"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.read",
          "feature_dashboard.read",
          "feature_canvas.read",
          "feature_maps.read",
          "feature_ml.read",
          "feature_graph.read",
          "feature_visualize.read"
        ],
        "resources" : [
          "space:dashboard-readonly"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

And a little more on Kibana Privileges

BUT I think this is the trick for the filebased roles it needs to be based on the underlying elasticsearch role... the Kibana Role is a higher level abstraction....

Example

Through the Kibana API

PUT kbn:api/security/role/my_kibana_role
{
  "metadata" : {
    "version" : 1
  },
  "elasticsearch": {
    "cluster" : [ ],
    "indices" : [ ]
  },
  "kibana": [
    {
      "base": [],
      "feature": {
       "discover": [
          "all"
        ],
        "visualize": [
          "all"
        ],
        "dashboard": [
          "all"
        ],
        "dev_tools": [
          "read"
        ],
        "advancedSettings": [
          "read"
        ],
        "indexPatterns": [
          "read"
        ],
        "graph": [
          "all"
        ],
        "apm": [
          "read"
        ],
        "maps": [
          "read"
        ],
        "canvas": [
          "read"
        ],
        "infrastructure": [
          "all"
        ],
        "logs": [
          "all"
        ],
        "uptime": [
          "all"
        ]
      },
      "spaces": [
        "*"
      ]
    }
  ]
}

When you get this role back through the Kibana API it looks the same but when you get it from the underlying Elasticsearch API it looks like this

GET _security/role/my_kibana_role
{
  "my_kibana_role": {
    "cluster": [],
    "indices": [],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_discover.all",
          "feature_visualize.all",
          "feature_dashboard.all",
          "feature_dev_tools.read",
          "feature_advancedSettings.read",
          "feature_indexPatterns.read",
          "feature_graph.all",
          "feature_apm.read",
          "feature_maps.read",
          "feature_canvas.read",
          "feature_infrastructure.all",
          "feature_logs.all",
          "feature_uptime.all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {
      "version": 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

Which is what I think maps to the role file...