How can I limit a user's permissions to kibana_dashboard_only and also restrict the user to read only within a single space?
If I assign a user to two roles, one is the kibana_dashboard_only and the second custom role limits the user to read from only one space the permissions don't combine correctly. So the user is able to see dashboard only but still see all spaces.
The reserved/built-in dashboard_only_mode role gives the user dashboard only mode for all Spaces. You can create a custom role which grants read-only access to a single space, and then configure the xpack dashboard only mode roles advanced setting for that space to list your newly created role.
Awesome, a few follow up questions as documentation is a little thin in this area:
What would the json syntax for this role definition look like?
If I use the Roles API to get the role info for the 'kibana_dashboard_only_user' and then copy that info to create a new Role (e.g. 'test_dashboard_only_user') I don't get the same behavior. I.e. the test_dashboard_user role will allow full access to all Kibana features (see example below). This doesn't seem like the intended behavior?
If I use the Roles user interface to limit a user to a single Space there does not appear to be any documentation on how to modify the Role to then also restrict the permissions to dashboard only? I tried to set "Run As privileges" to 'kibana_dashboard_only_user' but that action was not allowed
The kibana_dashboard_only_user from the permissions perspective gives the user read-only access to all of Kibana. To have Kibana hide all of the other applications besides the Dashboards app, the Kibana advanced setting: xpackDashboardMode:roles should be configured to list this role so that all other applications are hidden.
To create a new custom role which grants read-only access to a single space, you can use a cURL request similar to the following against the Kibana Role API
Then, to configure dashboard only mode to be enabled for this role, you'll want to log into Kibana, select the Space which you're just granted access to, and go to Management -> Advanced Settings. On the advanced settings page, you'll want to change the xpackDashboardMode:roles setting to list your newly created role:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.