Hi,
I have a role defined as below. would like to know if the indices restriction still work when the user is allowed to get access to the "vulcano" space. e.g will the user in this role still be restricted to only have access to these specified indices in the "vulcano" space, or it will get access to all indices in the space
Indices and Spaces are different. A Space is application-level: it's what defines access to Kibana objects, such as index patterns, dashboards, and Advanced Settings. It also defines access to features such as the ability to create a shortened URL, or the ability to view or change advanced settings.
In the role that you have defined, a user could view Kibana objects (dashboards) that belong to the vulcano space and use the features that are enabled in that space. If they open a dashboard in that space, the dashboard will only show data in the indices that the user has privilege to read, which are the defined in the indices level of the role definition.
BTW if you give the user all privileges to .reporting-*, they could potentially view reports that were generated with data from indices that they shouldn't have access to view. It's STRONGLY recommended NOT to give users any privilege to system indices :).
Kibana provides APIs for letting users access its own data, so that every request can come from a user having the least amount of privileges they need.
Hi Tim,
Thanks for the information! The problem I have atm is the user can see all the indices under Discover in Vulcano space. in the role definition, my understanding is the user can only see deivce-i07y, ceased-i07y and telemetry-* in Discover feature in Vulcano Space
Using index level security you can configure access to each kind of index.
The concept of index patterns in Kibana are space aware.. so you need to do both.
If you would like to restrict access to the Index you need to set Index privileges.
To hide Index patterns in Kibana a user should be assigned to another space with other index patterns.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.