Kibana - hide space to user

Yannael · January 23, 2020, 11:15am

Hello,
I'm testing ELK stack in version 7.5.1, Basic licence. I would like to hide spaces to user who do not need access. I found document here and also some topics about that. But I'm not able to get what I want!
I have one space named "network". I create one role which has only access to the previous space, "dashboard" part. I create a user with the role juste created.
When I connect with the user, I can see all spaces and have access to all menu.
I don't know where I'm wrong. I'm wondering of this feature is included in Basci licence.

Any idea?

Many thanks for your help.
Yannael

Fabio-sama · January 23, 2020, 11:36am

Can you make couple of snapshots of what you're doing in the creating role and creating user parts?

Yannael · January 23, 2020, 12:30pm

I tried to create as simple as possible to test access to space. So, I just create a namespace keeping default configuration. Then, I create a role like this:

I create a user "test" with the role just created:
user-role

Then, I connect to Kibana with this user and I can see all availables spaces:

Am I missing something?
Thanks,
Yannaël

Fabio-sama · January 23, 2020, 1:36pm

You didn't send screenshot of how you configured that test role.
Can you paste here the result of the Dev Tools call
GET _security/role/test ?

In order not to make any confusion, I suggest you first create a test_role role (Management>Security>Roles>Create role) giving it a name (test_role) access to the indices needed to see what's in the network space and, most importantly, a specific space privilege in this section.

Then you create a user (Management>Security>Users>Create user) named test_user and assign to it the role test_role just created.

Did you follow these steps?

Yannael · January 23, 2020, 2:00pm

Please, find below the result of the command:

{
  "test" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "*fw*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_discover.all",
          "feature_visualize.all",
          "feature_dashboard.all",
          "feature_dev_tools.all",
          "feature_advancedSettings.all",
          "feature_indexPatterns.all",
          "feature_savedObjectsManagement.all",
          "feature_graph.all",
          "feature_apm.all",
          "feature_maps.all",
          "feature_canvas.all",
          "feature_infrastructure.all",
          "feature_logs.all",
          "feature_siem.all",
          "feature_uptime.all"
        ],
        "resources" : [
          "space:network"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

I already did what you suggest. But in doubt, I did it again.
Role creation:

User creation:
2-create-user

Same result, this new user can see every spaces.
Yannaël

Fabio-sama · January 23, 2020, 3:02pm

It is pretty akward to be honest. I've downloaded a brand new version of Kibana and Elastic (7.5.1), added

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

In the elasticsearch.yml and

elasticsearch.username: "elastic"
elasticsearch.password: "my_pw"

In the kibana.yml.
Launched ES and Kibana, created a testing_space and get the kibana_sample_data_ecommerce data and visualizations/dashboards in it.

Then create a test_role role as follows:

And when I try the GET _security/role/test_role call from Dev Tools it returns:

{
  "test_role" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "kibana*"
        ],
        "privileges" : [
          "all"
        ],
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_all"
        ],
        "resources" : [
          "space:testing_space"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

Finally I created a test_user user and assigned it that role.
It works perfectly and when I log in with that user I can only see the testing_space space.

You sure you are not logged in with the superuser in another browser tab?

Cause if you open a tab and log in with the test_user and then open another tab and log in with the admin user, then going back to the previous tab a clicking on the spaces in the top left corner, it shows you the whole list, as if you were logged with the admin (which you are, in fact, but in another tab). In that case try refreshing the page and see if the user you're logged in with changes.

Yannael · January 23, 2020, 3:32pm

Really strange... The goods news for me is it must work on this version on Basic licence. I'm installing a fresh cluster. Maybe I made too much tests on my previous!

I use Firefox and I execute a private windows to make my test to be sure to not have a current session. I also tried with another web browser I never used. Same result.

Thanks for your time, I will try on a fresh install and let you know.

Yannaël

Yannael · January 24, 2020, 9:39am

Hello,
On a fresh installation, it's working fine. I don't yet what is wrong on the previous install. Thanks,
Yannaël

Yannael · January 24, 2020, 9:51am

For your knowledge, I found the problem in my first installation. Anonymous access was enabled. When I removed it, the privileges worked fine. My anonymous account get the role "kibana_dashboard_only_user". It should mean that everyone get the role of the anonymous account ?!
Yannael

system · February 21, 2020, 9:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.