Kibana - hide space to user

Elastic Stack Kibana
1

Hello,
I'm testing ELK stack in version 7.5.1, Basic licence. I would like to hide spaces to user who do not need access. I found document here and also some topics about that. But I'm not able to get what I want!
I have one space named "network". I create one role which has only access to the previous space, "dashboard" part. I create a user with the role juste created.
When I connect with the user, I can see all spaces and have access to all menu.
I don't know where I'm wrong. I'm wondering of this feature is included in Basci licence.

Any idea?

Many thanks for your help.
Yannael

2

Can you make couple of snapshots of what you're doing in the creating role and creating user parts?

3

I tried to create as simple as possible to test access to space. So, I just create a namespace keeping default configuration. Then, I create a role like this:

role-test-kib
role-test-kib863×255 11.6 KB

I create a user "test" with the role just created:
user-role
Then, I connect to Kibana with this user and I can see all availables spaces:
list-space-available
list-space-available813×473 35.7 KB

Am I missing something?
Thanks,
Yannaël

4

You didn't send screenshot of how you configured that test role.
Can you paste here the result of the Dev Tools call
GET _security/role/test ?

In order not to make any confusion, I suggest you first create a test_role role (Management>Security>Roles>Create role) giving it a name (test_role) access to the indices needed to see what's in the network space and, most importantly, a specific space privilege in this section.

image
image1512×533 23.5 KB

Then you create a user (Management>Security>Users>Create user) named test_user and assign to it the role test_role just created.

Did you follow these steps?

5

Please, find below the result of the command:

{
  "test" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*fw*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.all",
          "feature_visualize.all",
          "feature_dashboard.all",
          "feature_dev_tools.all",
          "feature_advancedSettings.all",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.all",
          "feature_graph.all",
          "feature_apm.all",
          "feature_maps.all",
          "feature_canvas.all",
          "feature_infrastructure.all",
          "feature_logs.all",
          "feature_siem.all",
          "feature_uptime.all"
        ],
        "resources" : [
          "space:network"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

I already did what you suggest. But in doubt, I did it again.
Role creation:

2-create-role
2-create-role848×763 32.1 KB

User creation:
2-create-user

Same result, this new user can see every spaces.
Yannaël

6

It is pretty akward to be honest. I've downloaded a brand new version of Kibana and Elastic (7.5.1), added

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

In the elasticsearch.yml and

elasticsearch.username: "elastic"
elasticsearch.password: "my_pw"

In the kibana.yml.
Launched ES and Kibana, created a testing_space and get the kibana_sample_data_ecommerce data and visualizations/dashboards in it.

Then create a test_role role as follows:

image
image916×863 38.5 KB

And when I try the GET _security/role/test_role call from Dev Tools it returns:

{
  "test_role" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "kibana*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_all"
        ],
        "resources" : [
          "space:testing_space"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Finally I created a test_user user and assigned it that role.
It works perfectly and when I log in with that user I can only see the testing_space space.

You sure you are not logged in with the superuser in another browser tab?

Cause if you open a tab and log in with the test_user and then open another tab and log in with the admin user, then going back to the previous tab a clicking on the spaces in the top left corner, it shows you the whole list, as if you were logged with the admin (which you are, in fact, but in another tab). In that case try refreshing the page and see if the user you're logged in with changes.

7

Really strange... The goods news for me is it must work on this version on Basic licence. I'm installing a fresh cluster. Maybe I made too much tests on my previous! :sweat_smile:

I use Firefox and I execute a private windows to make my test to be sure to not have a current session. I also tried with another web browser I never used. Same result.

Thanks for your time, I will try on a fresh install and let you know.

Yannaël

8

Hello,
On a fresh installation, it's working fine. I don't yet what is wrong on the previous install. Thanks,
Yannaël

9

For your knowledge, I found the problem in my first installation. Anonymous access was enabled. When I removed it, the privileges worked fine. My anonymous account get the role "kibana_dashboard_only_user". It should mean that everyone get the role of the anonymous account ?!
Yannael

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.