Multi-tenancy problem with Kibana


(Riccardopierpaoli) #1

Hello! This is my issue:
I try to setup a multi-tenancy system in my Kibana, describe as follow:

AS IS ENV

Index: twitter_index, .kibana

Dashboards: 1,2,3,4 (stored in .kibana)

TO BE ENV (I would like 2 different kibana users that will create different dashboards for future dashboards only users)

Index: twitter_index, .kibana, .kibana-2, .kibana-3

Custom roles definitions:

kibana_user_role_2 (Q: stored in .security-6?)

kibana_user_role_3 (Q: stored in .security-6?)

User definitions:

U: marco R: kibana_user_role_2

U: roberto R: kibana_user_role_3

Dashboards: 1,2 (stored in .kibana-2), 3,4 (stored in .kibana-3)

So here are the steps I followed:

  1. I created .kiban-a2 index with no mappings. Q: should I do it or kibana will create it automatically later?
  2. I logged as elastic (superuser) and created kibana_user_role_2 in this way (it’s like a default kibana_user but with different index privileges):

This is the output from security API:

"kibana_user_role_2" : {

"cluster" : [ ],

"indices" : [

  {

    "names" : [

      ".kibana-2"

    ],

    "privileges" : [

      "manage",

      "read",

      "index",

      "delete"

    ],

    "field_security" : {

      "grant" : [ ]

    }

  }

],

"run_as" : [ ],

"metadata" : { },

"transient_metadata" : {

  "enabled" : true

}

}

What I expect now is that marco user will be able to create and store dashboards inside .kibana-2 index, but when I login I get the following message when opening Discover tab:

Config: Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user [marco]: [security_exception] action [indices:data/write/update] is unauthorized for user [marco]

What am I missing?

Thanks!!


(CJ Cenizal) #2

Hi there, could you please clarify what you'd like to achieve, just to help me understand better?

It sounds like you want to have three tenants: two tenants will create dashboards, and one tenant will only read them. Is this correct?

Thanks,
CJ


(Riccardopierpaoli) #3

Hi! First of all thank you for the quick response :grinning:

My goal is to create dedicated dashboards for specific users. I give you an example; I have 3 users for my kibana: superuser , user A and user B. I need to create 2 different dashboards(dashboard A and dashboard B) as superuser(but it is not a necessary condition for superuser to create them) where the first one it's visible only from user A and the second only from user B. So if user A log in to Kibana, he will see only the the dashboard A (ditto for user B and dashboard B).

From what I have understood I need to create dedicated indices .kibana for every users, like .kibana_user_A and .kibana_user_ B, and load the dedicated dashboards t here( load dashboard A into .kibana_user_A and dashboard B in .kibana_user_B), but I don't know how to load the specific .kibana index for the specific user when I log in.
I know that exist a plug-in that do this but I'd like to know if exist a solution without proxy server and possibly for free :wink:
Thank You!


(Robert Cowart) #4

You will need multiple instances of Kibana to achieve this. Each instance will use one of those .kibana indices.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.