Giving Select Index Pattern Access in Kibana to Users using Shield


(Katy Gero) #1

I am trying to set up giving some users access only to certain index patterns (and eventually queries) using roles in Shield. I have successfully set up a 'read_only' role that is able to use Kibana, see code below:

readonly:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

However when I change '*' to my index pattern it fails, giving me the error:

Discover: [security_exception] action [indices:data/read/msearch] is unauthorized for user [test]

Even after I add indices:data/read/msearch to '.kibana' (which it doesn't appear to need for my read-only role) it continues to give me the same error.

Any thoughts?


(Joe Fleming) #2

Hrm, perhaps there's a bug in the docs. What version of Shield are you using? I'm guessing something pre-2.3, as the roles you posted are straight out of the 2.0-2.2 docs.


(Katy Gero) #3

Yup, I'm on version 2.2.0.


(Joe Fleming) #4

I'm trying to get this setup running locally, and running in to some weird stuff. I'm working with someone to get the docs fixed along the way too. I'll let you know where I end up once I get stuff working.


(Joe Fleming) #5

OK, got stuff up and running. Here's what I did:

# elasticsearch 2.2.1, install shield and license
~/Downloads/elasticsearch-2.2.1$ ./bin/plugin install shield
~/Downloads/elasticsearch-2.2.1$ ./bin/plugin install license

# create a new role in roles.yml using the 2.2 docs example, then:
~/Downloads/elasticsearch-2.2.1$ ./bin/shield/esusers useradd user -r readonly

# also added a user for kibana to run as
~/Downloads/elasticsearch-2.2.1$ ./bin/shield/esusers useradd kibana -r kibana4_server

# install shield in kibana as well
~/Downloads/kibana-4.4.2-darwin-x64$ ./bin/kibana plugin -i kibana/shield/2.2.1

# fire up both elasticsearch and kibana
~/Downloads/elasticsearch-2.2.1$ ./bin/elasticsearch
~/Downloads/kibana-4.4.2-darwin-x64$ ./bin/kibana

The I indexed some fake Logstash data into logstash-*, opened up localhost:5601, logged in as user and set up the index pattern. Everything is working as expected just using the default roles.

I did run into a formatting issue along the way, and I suspect you have one yourself. Check your spacing in that roles.yml file, and make sure you don't see any errors when you start up elasticsearch. You should have a role definition similar to this (note that the spacing is important):

readonly:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    'logstash-*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get
    '.kibana*':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

(Katy Gero) #6

Got it working! Thanks! I must have had a formatting error. It correctly restricts access to certain index patterns.

Follow-up question: is it possible, in addition to specifying the index pattern, to specify a query? For instance, I may want to restrict access to an index pattern "device_message" AND restrict access to the query "device_id = 1".


(Joe Fleming) #7

I don't believe that Shield offers document level security yet, but it would be worth reading up on, I may be wrong about that. We do have a Shield section here, you might have better luck asking about specific features over there.


(Katy Gero) #8

Thanks!


(system) #9