Limit message visibility for Kibana users based on message fields

Hi everyone. I'm new to the Elastic stack, and I'm trying to find out the best approach for this problem:

I'm trying to set message (event) visibility per user in Kibana in order to display only a subset of messages within one index to a certain user.

In short, the setup that I'm testing looks like this:

  • I'm using the official docker containers for elasticsearch, logstash and kibana, with true in elasticsearch settings.
  • I have a logstash pipeline that gets messages from RabbitMQ (JSON), and outputs them to elasticsearch. All messages are sent to a single index.
  • I have a limited number of producers and consumers of messages.
  • The messages have producer and consumer fields.

I would like to achieve this:

  • create the same users / roles in Kibana, e.g.producer1, consumer2.
  • display only those messages to user, that are issued by them (for producers) or addressed to them (for consumers).

Generally speaking, I just want to limit message visibility to Kibana users based on specific message fields.

I believe, I could filter messages in Logstash, and output them to different indices, but that would mean having separate indices per each user, and I'm not sure that this optimal.

I tried to see if I can achieve it using dashboards within spaces, but I'm not sure how. If user has access to certain index, then they are able to see all messages.

What would be the best way to solve this? I would appreciate any help.

Hi @beckfoot ,

I think you can try Document Level security for this purpose, just check if it is supported by your stack version.

Something like this:

POST _security/role/producer1_role
  "indices": [
      "names": [ "events-*" ],
      "privileges": [ "read" ],
      "query": {
        "match": {
          "producer": "producer1"

Regards, Dima

Thank you @Dzmitry, I have already tried to configure it like that since the original post, but unfortunately, as I'm using the free version of Elasticsearch, I get this error: "current license is non-compliant for [field and document level security]".
Are there any other options for me? Would solving it through creation of many different indices be a less resource-efficient?

Hi @beckfoot ,

If you don't have an option to upgrade license, you are quite limited with options.
Having multiple indexes sounds like a forced complication, but it is an option.

Regards, Dima

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.