How to set a user with customized roles for kibana on ECK

wangxr1985 · February 20, 2024, 12:54pm

apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
  name: quickstart
spec:
  version: 8.12.0
  count: 1
  elasticsearchRef:
    name: quickstart
    namespace: default
  http:
    tls:
      selfSignedCertificate:
        disabled: true

When I create a kibana pod which connects to an ES cluster managed by ECK, the default user in kibana.yaml is "default-quickstart-kibana-user", its role is kibana_system.
This user just has permissions to access internal indices, just like .kibana*、.monitoring-*.
I'd like to know how to modify the role, for example, setting it as a superuser.

jessgarson · February 20, 2024, 6:26pm

Welcome back @wangxr1985. Thanks for posting! I found a documentation page that may be helpful here, and it showed an example that looked similar to what you are looking for.

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
type: kubernetes.io/basic-auth
stringData:
  username: rdeniro    # required field for kubernetes.io/basic-auth
  password: mypassword # required field for kubernetes.io/basic-auth
  roles: kibana_admin,ingest_admin  # optional, not part of kubernetes.io/basic-auth

Hope this helps!

wangxr1985 · February 21, 2024, 9:23am

Thanks, I have read this document before and I can create a user with the permissions I need. However, I am not sure how to configure Kibana to use this user.

In the "Elasticsearch is managed by ECK" section of this document, it says: "The Kibana configuration file is automatically setup by ECK to establish a secure connection to Elasticsearch."
I would like to know how to specify my configured user in the Kibana config file, or give the default user more permissions.

jessgarson · February 21, 2024, 5:14pm

Would something like what's described here work for you?

stephenb · February 21, 2024, 6:07pm

Hi @wangxr1985

This connection between Kibana and Elasticsearch does not affect how users log in, nor what permissions/access, etc, they have.. this is purely how the Kibana Server interacts with the Elasticsearch Server.... it is not about users that use the system

Changing the roles/permission/users is not recommended...as the kibana_system is the exact correct role for this use case / connections.

Authentication / Authorization / Roles / that Users Log into Kibana and / Elastic are managed separately via Users and Roles.

You should really look at this

and This

Or Got to Kibana -> Stack management -> User / Roles and set up the Users and Roles you want.

So to summarize, it is not recommended to change the Auth/Auth in the kibana.yml for the connection between kibana server and elasticsearch server

User Roles are managed as separate Roles and are assigned to Users in a normal RBAC pattern.

wangxr1985 · February 22, 2024, 7:21am

Thank you, I originally wanted to put a monitoring script in this image, and connect to the ES cluster using the url/user/password in the kibana configuration file. It seems that this method is not quite correct.

system · March 21, 2024, 7:22am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.