How to set a user with customized roles for kibana on ECK

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 8.12.0
  count: 1
  elasticsearchRef:
    name: quickstart
    namespace: default
  http:
    tls:
      selfSignedCertificate:
        disabled: true

When I create a kibana pod which connects to an ES cluster managed by ECK, the default user in kibana.yaml is "default-quickstart-kibana-user", its role is kibana_system.
This user just has permissions to access internal indices, just like .kibana*、.monitoring-*.
I'd like to know how to modify the role, for example, setting it as a superuser.

Welcome back @wangxr1985. Thanks for posting! I found a documentation page that may be helpful here, and it showed an example that looked similar to what you are looking for.

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
  username: rdeniro    # required field for kubernetes.io/basic-auth
  password: mypassword # required field for kubernetes.io/basic-auth
  roles: kibana_admin,ingest_admin  # optional, not part of kubernetes.io/basic-auth

Hope this helps!

Thanks, I have read this document before and I can create a user with the permissions I need. However, I am not sure how to configure Kibana to use this user.

In the "Elasticsearch is managed by ECK" section of this document, it says: "The Kibana configuration file is automatically setup by ECK to establish a secure connection to Elasticsearch."
I would like to know how to specify my configured user in the Kibana config file, or give the default user more permissions.

1 Like

Would something like what's described here work for you?

Hi @wangxr1985

This connection between Kibana and Elasticsearch does not affect how users log in, nor what permissions/access, etc, they have.. this is purely how the Kibana Server interacts with the Elasticsearch Server.... it is not about users that use the system

Changing the roles/permission/users is not recommended...as the kibana_system is the exact correct role for this use case / connections.

Authentication / Authorization / Roles / that Users Log into Kibana and / Elastic are managed separately via Users and Roles.

You should really look at this

and This

Or Got to Kibana -> Stack management -> User / Roles and set up the Users and Roles you want.

So to summarize, it is not recommended to change the Auth/Auth in the kibana.yml for the connection between kibana server and elasticsearch server

User Roles are managed as separate Roles and are assigned to Users in a normal RBAC pattern.

1 Like

Thank you, I originally wanted to put a monitoring script in this image, and connect to the ES cluster using the url/user/password in the kibana configuration file. It seems that this method is not quite correct.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.