I'm trying to achieve a generic read-only role in kibana (7.9.0), and since the kibana_user role is deprecated (and not really replaced with a new one) one would assume that it should be pretty simple.
However I'm bumping in to some issues. I'm getting errors like this in the UI:
[security_exception] action [indices:data/read/search] is unauthorized for user [niklas.kurvinen]
This happens on all SIEM pages. The weird thing is that this error isn't present in the kibana logs (verbose logging) neither in the elasticsearch logs. And that line is all I get in the UI.
This is my role:
{
"read_only" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"filebeat-*",
"metricbeat-*",
"auditbeat-*",
"packetbeat-*"
],
"privileges" : [
"read",
"view_index_metadata"
],
"allow_restricted_indices" : false
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"feature_discover.read",
"feature_visualize.read",
"feature_dashboard.read",
"feature_canvas.read",
"feature_maps.read",
"feature_infrastructure.read",
"feature_logs.read",
"feature_apm.read",
"feature_uptime.read",
"feature_siem.read"
],
"resources" : [
"space:default"
]
}
],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}
And here's my user:
{
"niklas.kurvinen" : {
"username" : "niklas.kurvinen",
"roles" : [
"read_only"
],
"full_name" : "Niklas Kurvinen",
"email" : "my@email",
"metadata" : {
"type" : "kibana_user"
},
"enabled" : true
}
}
I've tried adding read permissions for other indices (system indices that is), but the only thing I've found that actually resolves it is the superuser role - which obviously isn't a good solution in this situation.
If anyone could help me out here it would be really appreciated.