Need more clarity on user access in X-pack?


(Vikas Gopal) #1

Hi Experts,

I installed X-pack and i loved it . I still have some concerns regarding user access and please let me know if the following can be achieved with X-pack access management . So my requirement is

  1. User can only open abc dashboard not any other dashboard (or other dashboards should not visible to him ).This user will only have read permission not write or delete permission.
  2. User can change password.
  3. All other X-pack features like Console, Visualize, management (connect data,users,roles,Index pattern,advance settings ) shuld not be visible as i want to provide a very basic read permission to the user to a dashboard.I do not want user to make any changes to the dashboards etc.

So in short when user logsin he can only see dashboard ,he can only share , print , export this dashboard, can change password.Rest other stuff should be disabled or not visible to this user

Please suggest with which role or privilege i can achieve the above in X-pack.

Thanks
Vikas


How can users be allowed change their own passwords only, not everyone's?
(Vikas Gopal) #2

@jaymode please help me on this , I got response from you on X-pack last time, so thought to bother you again.


(Bohyun Kim) #3

Hi Vikas,

Thanks for installing X-Pack and providing feedback.

  1. User can only open abc dashboard not any other dashboard (or other dashboards should not visible to him ).This user will only have read permission not write or delete permission.

Currently the dashboard level security is not possible but we are tracking the issue here. The workaround would be to create multiple Kibana instances with different set of dashboards.

  1. User can change password.

As of 5.0 Alpha-5, it is possible for users to change their own passwords. It is as simple as clicking on their user icon that appears on the bottom left pane.

  1. All other X-pack features like Console, Visualize, management (connect data,users,roles,Index pattern,advance settings ) shuld not be visible as i want to provide a very basic read permission to the user to a dashboard.I do not want user to make any changes to the dashboards etc.

I'd like to clarify that Visualize and management are not X-Pack features as they are core Kibana features. It would be possible to hide X-Pack tabs such as Console, Monitoring, Graph by using the following in your 'kibana.yml'

xpack.plugin_name.enabled: false

More detailed documentation is here. And we are currently tracking the progress for having the ability to hide core Kibana tabs here.

Hope this helps,
Bohyun


(Vikas Gopal) #4

Thank You Kim for this elaborative answer
My further observations

  1. xpack.plugin_name.enabled: false did not work for me , so I checked the documents and implemented following . If I want to disable monitoring plugin I have to mention xpack.monitoring.enabled: false in both ES.yml and Kibana.yml. After doing this monitor tab is gone in kibana .

Well I guess exactly the same I can do for other plugins like graph , console etc

Now my concern is since I have disabled this feature entirely , now what if admin user wants to do some activity on monitoring plugin. So again this feature needs to be enabled on both ES and Kibana and this needs restart which is not recommended in prod.
What I believe the best practice is to provide user based access to the plugins like admin can see all kibana , x-pack plugins but normal users can only see few of them like reporting, dashboard, discover.
Are we considering this approach in future ?

Regards
Vikas


(Mark Walkom) #5

You need to replace that part with the actual plugin name, eg monitoring.


(Bohyun Kim) #6

Hi Vikas

In order to hide a tab (e.g. Monitoring tab) successfully, you need to make sure that both Elasticsearch and Kibana instances to be restarted.

I observed the same behavior when I took the following steps only:

  1. stop the Kibana instance
  2. modify kibana.yml
  3. restart kibana instance

Instead, you need to take the following steps to achieve what you want, which is not disabling the feature entirely and just hiding the monitoring tab from the UI.

  1. stop both kibana and Elasticsearch instances
  2. modify kibana.yml
  3. restart Elasticsearch instance then Kibana instance.

Let me know if this works for you.

What I believe the best practice is to provide user based access to the plugins like admin can see all kibana , x-pack plugins but normal users can only see few of them like reporting, dashboard, discover.
Are we considering this approach in future ?

As described in my earlier comment, we are tracking the issue to hide the core Kibana tabs here.

Hope this helps,
Bohyun


(system) #7