Kibana User Profile Creation


(Nuwan Vithanage) #1

Hi team,

I'm trying to create following user profile in kibana and I did following steps to accomplish my requirement but unfortunately I was unable to do it .

User profile requirement:

we need accounts:

  • equio : can access dashboard, visualization, but cannot access elasticsearch (in any way except visualization) and cannot access console...
  • admin : can access everything, including user management
  • developer : can access everything but not user management

I have done following steps to create above mentioned users profile.

Install Full-Text search engine "Elasticsearch" On 915468-ElasticDemo.newfrontierdata.com

(1) Installed Install OpenJDK 8.On 915468-ElasticDemo.newfrontierdata.com

yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel

cat > /etc/profile.d/java8.sh <<EOF

export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))

export PATH=$PATH:$JAVA_HOME/bin

export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar

EOF

(2)Installed Elasticsearch On 915468-ElasticDemo.newfrontierdata.com

vi /etc/yum.repos.d/elasticsearch.repo

added following content on repo

[elasticsearch-6.x]

name=Elasticsearch repository for 6.x packages

baseurl=https://artifacts.elastic.co/packages/6.x/yum

gpgcheck=1

gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch

enabled=1

autorefresh=1

type=rpm-md

yum -y install elasticsearch

systemctl start elasticsearch

systemctl enable elasticsearch

configured elasticsearch.yml as follow.and configured jvm.options too

[root@915468-ElasticDemo ~]# cat /etc/elasticsearch/elasticsearch.yml

cluster.name: Elastic-DemO

node.name: ${HOSTNAME}

network.host: 172.24.36.204

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

xpack.security.enabled: true

xpack.license.self_generated.type: trial

bootstrap.system_call_filter: false

(3)Installed Kibana On 915468-ElasticDemo.newfrontierdata.com

[root@915468-ElasticDemo kibana]# cat kibana.yml

server.host: "172.24.36.204"

server.name: "915452-IngestionDemo.newfrontierdata.com"

elasticsearch.url: "http://172.24.36.204:9200"

xpack.security.enabled: true

elasticsearch.username: "kibana"

elasticsearch.password: "XXXX"

systemctl restart elasticsearch kibana

(4) Set bootstrap.password

/usr/share/elasticsearch/bin/elasticsearch-keystore add "bootstrap.password"

(5) Setup following users.

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Enter password for [elastic]:

Enter password for [kibana]:

Enter password for [logstash_system]:

Enter password for [beats_system]:

(6) How to Set it Up

Under Management > Security > Users, edit or create a new user and assign them the kibana_dashboard_only_user role, along with roles that grant the user appropriate data access.

(7) Setup Above Mentioned User Profile like follow

Setup following users in Elastic-demo and setup user roles as follow . Currently working on Elatic Production cluster, IngestionDemo

equio : can access dashboard, visualization, but cannot access elasticsearch (in any way except visualization) and cannot access console...

Defining Roles:kibana_user

admin : can access everything, including user management

Defining Roles:superuser

developer : can access everything but not user management

Defining Roles:ingest_admin,kibana_system

After that I enroll Platinum licence now instance has platinum licence activated but I can login to Kibana without prompt user name and password after I enroll platinum licence.

Could you advice me how can I do this . If you need any other information Please feel free to contact me at any given time


(Brandon Kobel) #2

Hey @nuwan, thanks for the detailed description of what you've done so far to enable your use-case.

For your admin user which you'd like to be able to access everything, you'll likely want to assign them the Elasticsearch superuser role mentioned here. This will give them full access to your Elasticsearch cluster, and they'll be able to perform any action in Kibana or in Elasticsearch directly.

For your developer user, which you'd like to be able to access everything, excluding user management. Are you wishing to primarily grant them privileges to Kibana, or are you looking at granting them access to more features within your Elasticsearch cluster? There isn't a built-in role that does exactly what you're looking for, but you can create a new role in Elasticsearch using Kibana. You'll want to familiarize yourself with the various privileges which can be granted which are described in quite depth here to see which ones you wish to be assigning to this role.

For your equio user which can access only Dashboard and Visualizations, but can't access Elasticsearch and can't access console, we're actively working on adding this level of granularity to Kibana access control, but it isn't possible quiet yet. The closest that you can get right now is creating a role which has access to all of Kibana, and read-only access to the Elasticsearch data indices which they should be able to access.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.