Hi,
I want to restrict management,apm,graph to access by user. I'm using xpack. It contain default roles in that i could see one role 'kibana_dashboard_only' like this i want to provide some role.
Anyone can help me on this.
Exactly, you would have to define your roles for example : There are some in-built roles like :
machine_learning_admin
Grants manage_ml cluster privileges and read access to the .ml-* indices.
machine_learning_user
Grants the minimum privileges required to view X-Pack machine learning configuration, status, and results. This role grants monitor_ml cluster privileges and read access to the .ml-notifications and .ml-anomalies* indices, which store machine learning results.
monitoring_user
Grants the minimum privileges required for any user of X-Pack monitoring other than those required to use Kibana. This role grants access to the monitoring indices. Monitoring users should also be assigned the kibana_user role.
remote_monitoring_agent
Grants the minimum privileges required for a remote monitoring agent to write data into this cluster.
reporting_user
Grants the specific privileges required for users of X-Pack reporting other than those required to use Kibana. This role grants access to the reporting indices. Reporting users should also be assigned the kibana_user role and a role that grants them access to the data that will be used to generate reports with.
superuser
Grants full access to the cluster, including all indices and data. A user with the superuser role can also manage users and roles and impersonate any other user in the system. Due to the permissive nature of this role, take extra care when assigning it to a user.
more ref: https://www.elastic.co/guide/en/x-pack/current/built-in-roles.html
However, There's no built-in way to restrict or turn off the Management tab in Kibana currently.
Thanks
Rashmi
Thanks Rashmi. its very helpful.
But i need to create my own rule in that i want to restrict user to read alone and user should not have any write or delete operation how could i achieve that.
HI ganesh,
Yes that can be achieved very easily. So I think what you want is for a readonly user (with a readonly role) to Not be allowed to create/update/delete index patterns, saved searches, visualizations, or dashboards. Those things are all in the .kibana index, so below I've ONLY changed the privileges for the .kibana index.
That way they can Read everything and run queries, even create new visualizations and dashboards (on any existing index pattern) but not save any changes.
If that's correct, in this example below I
readonly:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search
I removed these privs;
- indices:admin/mapping/put,
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update
Or did you only want the user to not be able to change the index pattern but still be able to create/modify/save Saved searches, Visualizations, and Dashboards?
Hope this helps,
Rashmi
Thank you for your elaborate reply and may i know where i have put this change. whether i have to paste it on elasticsearch.yml
User which im creating, they need to look discover for events and they dont need to create/delete/update
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.