How to restrict user to access tab on kibana

security

(Ganesh) #1

Hi,
I want to restrict management,apm,graph to access by user. I'm using xpack. It contain default roles in that i could see one role 'kibana_dashboard_only' like this i want to provide some role.

Anyone can help me on this.


(kulkarni) #2

Exactly, you would have to define your roles for example : There are some in-built roles like :

machine_learning_admin

Grants manage_ml cluster privileges and read access to the .ml-* indices.

machine_learning_user

Grants the minimum privileges required to view X-Pack machine learning configuration, status, and results. This role grants monitor_ml cluster privileges and read access to the .ml-notifications and .ml-anomalies* indices, which store machine learning results.

monitoring_user

Grants the minimum privileges required for any user of X-Pack monitoring other than those required to use Kibana. This role grants access to the monitoring indices. Monitoring users should also be assigned the kibana_user role.

remote_monitoring_agent

Grants the minimum privileges required for a remote monitoring agent to write data into this cluster.

reporting_user

Grants the specific privileges required for users of X-Pack reporting other than those required to use Kibana. This role grants access to the reporting indices. Reporting users should also be assigned the kibana_user role and a role that grants them access to the data that will be used to generate reports with.

superuser

Grants full access to the cluster, including all indices and data. A user with the superuser role can also manage users and roles and impersonate any other user in the system. Due to the permissive nature of this role, take extra care when assigning it to a user.

more ref: https://www.elastic.co/guide/en/x-pack/current/built-in-roles.html

However, There's no built-in way to restrict or turn off the Management tab in Kibana currently.

Thanks
Rashmi


(Ganesh) #3

Thanks Rashmi. its very helpful.

But i need to create my own rule in that i want to restrict user to read alone and user should not have any write or delete operation how could i achieve that.


(kulkarni) #4

HI ganesh,
Yes that can be achieved very easily. So I think what you want is for a readonly user (with a readonly role) to Not be allowed to create/update/delete index patterns, saved searches, visualizations, or dashboards. Those things are all in the .kibana index, so below I've ONLY changed the privileges for the .kibana index.

That way they can Read everything and run queries, even create new visualizations and dashboards (on any existing index pattern) but not save any changes.

If that's correct, in this example below I

readonly:
      cluster: 
          - cluster:monitor/nodes/info
          - cluster:monitor/health 
      indices:
        '*':
          privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
        '.kibana':
          privileges: indices:admin/exists,                            indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search

I removed these privs;

  • indices:admin/mapping/put,
  • indices:data/write/delete
  • indices:data/write/index
  • indices:data/write/update

Or did you only want the user to not be able to change the index pattern but still be able to create/modify/save Saved searches, Visualizations, and Dashboards?

Hope this helps,
Rashmi


(Ganesh) #5

Thank you for your elaborate reply and may i know where i have put this change. whether i have to paste it on elasticsearch.yml

User which im creating, they need to look discover for events and they dont need to create/delete/update