Multi-tenancy problem with Kibana

Hello! This is my issue:
I try to setup a multi-tenancy system in my Kibana, describe as follow:

AS IS ENV

Index: twitter_index, .kibana

Dashboards: 1,2,3,4 (stored in .kibana)

TO BE ENV (I would like 2 different kibana users that will create different dashboards for future dashboards only users)

Index: twitter_index, .kibana, .kibana-2, .kibana-3

Custom roles definitions:

kibana_user_role_2 (Q: stored in .security-6?)

kibana_user_role_3 (Q: stored in .security-6?)

User definitions:

U: marco R: kibana_user_role_2

U: roberto R: kibana_user_role_3

Dashboards: 1,2 (stored in .kibana-2), 3,4 (stored in .kibana-3)

So here are the steps I followed:

  1. I created .kiban-a2 index with no mappings. Q: should I do it or kibana will create it automatically later?
  2. I logged as elastic (superuser) and created kibana_user_role_2 in this way (it’s like a default kibana_user but with different index privileges):

This is the output from security API:

"kibana_user_role_2" : {

"cluster" : [ ],

"indices" : [

  {

    "names" : [

      ".kibana-2"

    ],

    "privileges" : [

      "manage",

      "read",

      "index",

      "delete"

    ],

    "field_security" : {

      "grant" : [ ]

    }

  }

],

"run_as" : [ ],

"metadata" : { },

"transient_metadata" : {

  "enabled" : true

}

}

What I expect now is that marco user will be able to create and store dashboards inside .kibana-2 index, but when I login I get the following message when opening Discover tab:

Config: Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user [marco]: [security_exception] action [indices:data/write/update] is unauthorized for user [marco]

What am I missing?

Thanks!!

Hi there, could you please clarify what you'd like to achieve, just to help me understand better?

It sounds like you want to have three tenants: two tenants will create dashboards, and one tenant will only read them. Is this correct?

Thanks,
CJ

Hi! First of all thank you for the quick response :grinning:

My goal is to create dedicated dashboards for specific users. I give you an example; I have 3 users for my kibana: superuser , user A and user B. I need to create 2 different dashboards(dashboard A and dashboard B) as superuser(but it is not a necessary condition for superuser to create them) where the first one it's visible only from user A and the second only from user B. So if user A log in to Kibana, he will see only the the dashboard A (ditto for user B and dashboard B).

From what I have understood I need to create dedicated indices .kibana for every users, like .kibana_user_A and .kibana_user_ B, and load the dedicated dashboards t here( load dashboard A into .kibana_user_A and dashboard B in .kibana_user_B), but I don't know how to load the specific .kibana index for the specific user when I log in.
I know that exist a plug-in that do this but I'd like to know if exist a solution without proxy server and possibly for free :wink:
Thank You!

You will need multiple instances of Kibana to achieve this. Each instance will use one of those .kibana indices.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.