Then we created a new role within new space only, with read only privileges again for Analytics->Dashboard, Discover and Visualise. We did not assigned any Cluster privileges as we are just testing RBAC at this stage.
And then we created a new user and assigned new role to it.
For some reason when the new user logins to Kibana it can change the space to 'default' one with full access to everything.... On top of that within new space Management menu is available (along with Analytics one) with all submenus and again full access to write/read etc.
Is this a bug or we are doing something wrong?
We are running ELK 7.11 on k8s (self managed) on GCP.
We have tried to delete new role, space and user and crate again but unfortunately keep getting the same problem (ability to select Default space and access to Stack Management menu).
I was thinking for a moment that Basic would be the problem, but I just set up exactly the same using a Cluster I deployed with ECK (K8s) with a basic license and it worked just how I expected with a basic license.
What version I am using 7.11.1
One question are you actually logging completely out and then logging in with the new user... if you just switch between spaces while you are logged in as elastic user you will not see the role based control because it inherits the the elastic user privileges.
If still trouble please paste a complete view of the role creation. Notice I only have the one space then I went into that a specifically set the priviliges, it is kinda weird you set up what is available in the space under manage space then you refine it / do it again in the Kbana privileges during role creation.
For the role definition, go into Dev Tools / Console in Kibana (when logged in as your administration user, e.g. elastic) and run
GET /_security/role/test-role
That will show us exactly what this role can do, and will show us if something is out of place.
For the user's privileges, go into Dev Tools / Console as the test user (assuming that is possible - it sounds like in your case the user has access to Dev Tools, even though you don't want it to), and run
GET /_security/_authenticate
and
GET /_security/user/_privileges
Something isn't quite right here, and hopefully that information will pinpoint what it is, and then we can try and work out why it got into that state.
One of the surprising features of anonymous access in Elasticsearch is that the roles listed in xpack.security.authc.anonymous.roles are added to every user, not just the anonymous user.
It is more accurate to think of them as "global roles" rather than "anonymous roles". I'm afraid that you will not be able to implement role based access control while also granting the superuser role to every user.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.