Hi
We are trying to use Kibana with shield implementation and use then to allow/disallow user to Access to certain documents (document level security). We have a field named SYSTEM which is the key in order to adquire that permission. We are working in the following way:
user1:rol1 -> Access to anything
user2:rol2 -> Access to system1
user3:rol3 -> Access to system2
user4:rol4-> Access to system1 or system3
The last option has been implemented as "query": { "terms": { "SYSTEM": ["system1", "system3"] } }
we have tested Shield by using the command lines (curl -XGET ....) and it works. but whenever we try to use it with Kibana we detect there is no indice accesible.
We are running Logstash and Shield 2.0.0 and Kibana 4.2.0.
Our roles.yml is the following one:
All cluster rights
All operations on all indices
admin:
cluster: all
indices:
'*':
privileges: all
monitoring cluster privileges
All operations on all indices
power_user:
cluster: monitor
indices:
'*':
privileges: all
Read-only operations on indices
user:
indices:
'*':
privileges: read
Defines the required permissions for transport clients
transport_client:
cluster:
- cluster:monitor/nodes/liveness
#uncomment the following for sniffing
#- cluster:monitor/state
The required permissions for kibana 4 users.
kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create
The required permissions for the kibana 4 server
kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'.kibana':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
rol1:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: all
rol2:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: '{"term" : {"SYSTEM": "SYSTEM1"} }'
rol3:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: '{"term": {"SYSTEM": "SYSTEM2" } }'
rol4:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: ' {"terms": {"SYSTEM": ["SYSTEM1", "SYSTEM3" ] } }'
Could someone provice some help?? Really appreciate your advice.