Multi-tenancy problem with Kibana

riccardopierpaoli · June 7, 2018, 3:17pm

Hello! This is my issue:
I try to setup a multi-tenancy system in my Kibana, describe as follow:

AS IS ENV

Index: twitter_index, .kibana

Dashboards: 1,2,3,4 (stored in .kibana)

TO BE ENV (I would like 2 different kibana users that will create different dashboards for future dashboards only users)

Index: twitter_index, .kibana, .kibana-2, .kibana-3

Custom roles definitions:

kibana_user_role_2 (Q: stored in .security-6?)

kibana_user_role_3 (Q: stored in .security-6?)

User definitions:

U: marco R: kibana_user_role_2

U: roberto R: kibana_user_role_3

Dashboards: 1,2 (stored in .kibana-2), 3,4 (stored in .kibana-3)

So here are the steps I followed:

I created .kiban-a2 index with no mappings. Q: should I do it or kibana will create it automatically later?
I logged as elastic (superuser) and created kibana_user_role_2 in this way (it’s like a default kibana_user but with different index privileges):

This is the output from security API:

"kibana_user_role_2" : {

"cluster" : [ ],

"indices" : [

  {

    "names" : [

      ".kibana-2"

    ],

    "privileges" : [

      "manage",

      "read",

      "index",

      "delete"

    ],

    "field_security" : {

      "grant" : [ ]

    }

  }

],

"run_as" : [ ],

"metadata" : { },

"transient_metadata" : {

  "enabled" : true

}

}

What I expect now is that marco user will be able to create and store dashboards inside .kibana-2 index, but when I login I get the following message when opening Discover tab:

Config: Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user [marco]: [security_exception] action [indices:data/write/update] is unauthorized for user [marco]

What am I missing?

Thanks!!

cjcenizal · June 7, 2018, 9:04pm

Hi there, could you please clarify what you'd like to achieve, just to help me understand better?

It sounds like you want to have three tenants: two tenants will create dashboards, and one tenant will only read them. Is this correct?

Thanks,
CJ

riccardopierpaoli · June 8, 2018, 7:20am

Hi! First of all thank you for the quick response

My goal is to create dedicated dashboards for specific users. I give you an example; I have 3 users for my kibana: superuser , user A and user B. I need to create 2 different dashboards(dashboard A and dashboard B) as superuser(but it is not a necessary condition for superuser to create them) where the first one it's visible only from user A and the second only from user B. So if user A log in to Kibana, he will see only the the dashboard A (ditto for user B and dashboard B).

From what I have understood I need to create dedicated indices .kibana for every users, like .kibana_user_A and .kibana_user_ B, and load the dedicated dashboards t here( load dashboard A into .kibana_user_A and dashboard B in .kibana_user_B), but I don't know how to load the specific .kibana index for the specific user when I log in.
I know that exist a plug-in that do this but I'd like to know if exist a solution without proxy server and possibly for free
Thank You!

rcowart · June 8, 2018, 9:18am

You will need multiple instances of Kibana to achieve this. Each instance will use one of those .kibana indices.

system · July 6, 2018, 9:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Users, role and index Management Kibana	17	1532	September 24, 2019
Kibana dashboard only User Kibana	9	1988	September 20, 2019
Multi-tenancy for Kibana, once again Kibana	5	1938	August 3, 2017
Kibana multiple roles and visualize/dashboard list isolation Kibana	2	519	August 29, 2019
Creating kibana users Kibana	2	256	April 9, 2020

Multi-tenancy problem with Kibana

Related topics