How To Map AD Groups with xpack


(A G) #1


I've integrated Elasticsearch with AD and manage to logon with my AD account. However I can't see anything in kibana due to privileges.

I've two groups in AD, MON-ADMIN & MON-VIEWER. users from ADMIN group should be able to do literally everything and users from VIEWER should only able to view(i.e. read only). How do I achieve this?

is there any sample roles.yml and role_mapping.yml to accomplish the above?


(Ioannis Kakavas) #2

Regardless of what we discuss below, this happens because your user doesn't have any Elasticsearch roles. In order to correctly view Kibana's UI, all the users should at least have the kibana_user role.

Now, I'd start here. I would suggest you use the Role and Role Mapping APIs to configure the required functionality.
We don't have sample files or API calls, other than the documentation examples, as each environment is unique and each administration and business rules for Authorization differ so there aren't many common scenarios.

The basic idea is that you want to create Elasticsearch roles that correspond to your AD groups and assign each role the required privileges that fit your use case. See defining roles for a detailed explanation and instructions on how to create the roles.
Then you'd want to create the corresponding role mapping rules that will map users that are members in a group to its corresponding Elasticsearch role.

(A G) #3

Thank you for your help, I managed to sort it out.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.