Kibana User Roles, kibana_dashboard_only and Limit Spaces?

avocado · December 21, 2018, 11:36pm

How can I limit a user's permissions to kibana_dashboard_only and also restrict the user to read only within a single space?

If I assign a user to two roles, one is the kibana_dashboard_only and the second custom role limits the user to read from only one space the permissions don't combine correctly. So the user is able to see dashboard only but still see all spaces.

Brandon_Kobel · December 22, 2018, 1:20am

The reserved/built-in dashboard_only_mode role gives the user dashboard only mode for all Spaces. You can create a custom role which grants read-only access to a single space, and then configure the xpack dashboard only mode roles advanced setting for that space to list your newly created role.

avocado · December 27, 2018, 8:46pm

Awesome, a few follow up questions as documentation is a little thin in this area:

What would the json syntax for this role definition look like?
If I use the Roles API to get the role info for the 'kibana_dashboard_only_user' and then copy that info to create a new Role (e.g. 'test_dashboard_only_user') I don't get the same behavior. I.e. the test_dashboard_user role will allow full access to all Kibana features (see example below). This doesn't seem like the intended behavior?

GET /_xpack/security/role/kibana_dashboard_only_user
{
"kibana_dashboard_only_user" : {
"cluster" : ,
"indices" : [
{
"names" : [
".kibana*"
],
"privileges" : [
"read",
"view_index_metadata"
]
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"read"
],
"resources" : [
"*"
]
}
],
"run_as" : ,
"metadata" : {
"_reserved" : true
},
"transient_metadata" : {
"enabled" : true
}
}
}

POST /_xpack/security/role/test_dashboard_only_user
{
"cluster" : ,
"indices" : [
{
"names" : [
".kibana*"
],
"privileges" : [
"read",
"view_index_metadata"
]
}
],
"applications" : [
{
"application" : "kibana-.kibana",
"privileges" : [
"read"
],
"resources" : [
"*"
]
}
],
"run_as" :
}

{
"role" : {
"created" : true
}
}

If I use the Roles user interface to limit a user to a single Space there does not appear to be any documentation on how to modify the Role to then also restrict the permissions to dashboard only? I tried to set "Run As privileges" to 'kibana_dashboard_only_user' but that action was not allowed

Thanks in advance!

Brandon_Kobel · December 27, 2018, 9:18pm

The kibana_dashboard_only_user from the permissions perspective gives the user read-only access to all of Kibana. To have Kibana hide all of the other applications besides the Dashboards app, the Kibana advanced setting: xpackDashboardMode:roles should be configured to list this role so that all other applications are hidden.

To create a new custom role which grants read-only access to a single space, you can use a cURL request similar to the following against the Kibana Role API

curl -H "kbn-xsrf:true" -H "content-type:application/json" -u elastic:changeme -X PUT http://localhost:5601/api/security/role/engineering_dashboard_only_mode -d '
{
  "kibana": {
    "space": {
      "engineering": ["read"]
    }
  }
}
'

Then, to configure dashboard only mode to be enabled for this role, you'll want to log into Kibana, select the Space which you're just granted access to, and go to Management -> Advanced Settings. On the advanced settings page, you'll want to change the xpackDashboardMode:roles setting to list your newly created role:

avocado · January 2, 2019, 6:57pm

Excellent! This is exactly what I wanted to do, and wouldn't have been able to figure this out without your help. I appreciate the quick response

system · January 30, 2019, 6:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.