How to set a user with customized roles for kibana on ECK

wangxr1985 · February 20, 2024, 12:54pm

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 8.12.0
  count: 1
  elasticsearchRef:
    name: quickstart
    namespace: default
  http:
    tls:
      selfSignedCertificate:
        disabled: true

When I create a kibana pod which connects to an ES cluster managed by ECK, the default user in kibana.yaml is "default-quickstart-kibana-user", its role is kibana_system.
This user just has permissions to access internal indices, just like .kibana*、.monitoring-*.
I'd like to know how to modify the role, for example, setting it as a superuser.

jessgarson · February 20, 2024, 6:26pm

Welcome back @wangxr1985. Thanks for posting! I found a documentation page that may be helpful here, and it showed an example that looked similar to what you are looking for.

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
  username: rdeniro    # required field for kubernetes.io/basic-auth
  password: mypassword # required field for kubernetes.io/basic-auth
  roles: kibana_admin,ingest_admin  # optional, not part of kubernetes.io/basic-auth

Hope this helps!

wangxr1985 · February 21, 2024, 9:23am

Thanks, I have read this document before and I can create a user with the permissions I need. However, I am not sure how to configure Kibana to use this user.

In the "Elasticsearch is managed by ECK" section of this document, it says: "The Kibana configuration file is automatically setup by ECK to establish a secure connection to Elasticsearch."
I would like to know how to specify my configured user in the Kibana config file, or give the default user more permissions.

jessgarson · February 21, 2024, 5:14pm

Would something like what's described here work for you?

stephenb · February 21, 2024, 6:07pm

Hi @wangxr1985

This connection between Kibana and Elasticsearch does not affect how users log in, nor what permissions/access, etc, they have.. this is purely how the Kibana Server interacts with the Elasticsearch Server.... it is not about users that use the system

Changing the roles/permission/users is not recommended...as the kibana_system is the exact correct role for this use case / connections.

Authentication / Authorization / Roles / that Users Log into Kibana and / Elastic are managed separately via Users and Roles.

You should really look at this

and This

Or Got to Kibana -> Stack management -> User / Roles and set up the Users and Roles you want.

So to summarize, it is not recommended to change the Auth/Auth in the kibana.yml for the connection between kibana server and elasticsearch server

User Roles are managed as separate Roles and are assigned to Users in a normal RBAC pattern.

wangxr1985 · February 22, 2024, 7:21am

Thank you, I originally wanted to put a monitoring script in this image, and connect to the ES cluster using the url/user/password in the kibana configuration file. It seems that this method is not quite correct.

system · March 21, 2024, 7:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot create Elasticsearch users with ECK Elastic Cloud on Kubernetes (ECK)	3	1873	November 4, 2022
Unable to log in elastic using the non-default user's username and password Elastic Cloud on Kubernetes (ECK)	4	746	November 4, 2022
ECK and AD authentication for KIbana Elastic Cloud on Kubernetes (ECK) elastic-stack-security	5	1318	November 4, 2022
Elasticsearch-users added is not shown in Kibana UI Elastic Cloud on Kubernetes (ECK) elastic-stack-security	5	1711	November 4, 2022
Anonymous user config Elastic Cloud on Kubernetes (ECK)	2	1497	October 11, 2021

How to set a user with customized roles for kibana on ECK

Related Topics