How to separate Machine Learning jobs in Kibana per user

Hi

The ability to restrict access to specific Machine Learning jobs is something that exists on our roadmap, however is not available out of the box today.

In the meantime, it is possible to restrict access to the ML results indices. When you create a job you can specify for it to use a dedicated index per job. This is a UI setting in the Advanced section of the job wizards.

Alternatively, if you are comfortable editing the JSON when creating a job or using the API, then all jobs for user-grp1 can share the same user-grp1 results index and all jobs for user-grp2 can share the same user-grp2 results index. This can be set using results_index_name.

You can then assign roles to user-grp1 and user-grp2 that only allow them to see their respective indices. (Note, if result_index_name is set to user-grp1 then the underlying index name will be .ml-anomalies-custom-user-grp1. )

The custom roles need to have:

  • The monitor_ml cluster privilege (or manage_ml if you want users to be able to create their own jobs)
  • Index read privilege on the raw data indices, used by each group
  • Index read privilege on the .ml-notifications index
  • Index read privilege on the appropriate results index, say .ml-anomalies-custom-user-grp1.

This does not prevent the two groups of users from seeing each others jobs in the job list, but it will prevent them from viewing the results of each others jobs.

Alternatively, with our next release (6.3) we will be supporting cross cluster search. Job separation could be achieved by creating separate ML clusters.