Kibana + Shield: Query terms fails

PedroH · March 7, 2016, 4:24pm

Hi

We are trying to use Kibana with shield implementation and use then to allow/disallow user to Access to certain documents (document level security). We have a field named SYSTEM which is the key in order to adquire that permission. We are working in the following way:

user1:rol1 -> Access to anything
user2:rol2 -> Access to system1
user3:rol3 -> Access to system2
user4:rol4-> Access to system1 or system3

The last option has been implemented as "query": { "terms": { "SYSTEM": ["system1", "system3"] } }
we have tested Shield by using the command lines (curl -XGET ....) and it works. but whenever we try to use it with Kibana we detect there is no indice accesible.

We are running Logstash and Shield 2.0.0 and Kibana 4.2.0.

Our roles.yml is the following one:

All cluster rights

All operations on all indices

admin:
cluster: all
indices:
'*':
privileges: all

monitoring cluster privileges

All operations on all indices

power_user:
cluster: monitor
indices:
'*':
privileges: all

Read-only operations on indices

user:
indices:
'*':
privileges: read

Defines the required permissions for transport clients

transport_client:
cluster:
- cluster:monitor/nodes/liveness
#uncomment the following for sniffing
#- cluster:monitor/state

The required permissions for kibana 4 users.

kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update, indices:admin/create

The required permissions for the kibana 4 server

kibana4_server:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'.kibana':
privileges: indices:admin/create, indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

rol1:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: all

rol2:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: '{"term" : {"SYSTEM": "SYSTEM1"} }'

rol3:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: '{"term": {"SYSTEM": "SYSTEM2" } }'

rol4:
indices:
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
'*':
privileges: read, indices:admin/get
query: ' {"terms": {"SYSTEM": ["SYSTEM1", "SYSTEM3" ] } }'

Could someone provice some help?? Really appreciate your advice.