No .kibana privilege on Kibana UI?


(Yu Watanabe) #1

Environement
Kibana 5.1.2
x-pack 5.1.2

Newly created role requires .kibana index access when search is done through kibana UI otherwise below error occurs in the audit log.

[2017-01-16T15:47:26,692] [transport] [access_denied]   origin_type=[rest], origin_address=[10.1.0.15], principal=[someuser], action=[indices:data/read/get], indices=[.kibana], request=[GetRequest]
[2017-01-16T15:47:29,014] [transport] [access_denied]   origin_type=[rest], origin_address=[10.1.0.15], principal=[someuser], action=[indices:data/read/search], indices=[.kibana], request=[SearchRequest]

However, there seems to be no choice for .kibana in the Indices Privileges.

Should I add the .kibana privilege through Role Management API everytime I create a role?


(Tim Vernum) #2

The recommended approach for enabling Kibana access is to grant the user the kibana_user role.

Is there a reason that you want to incorporate those permissions into each of your own roles (such as GeneralUser) instead of just including kibana_user in the user's role list?

It's technically possible to do what you want (via the API) but it's not the intended approach.


(Yu Watanabe) #3

@TimV

Thank you for the reply. Yes I followed your link and I was able to search index with newly created user with kibana_user role.

However, I have a requirement where multiple roles per company department is required and need to assign each employee to the role. Which will end up having different Indice privilege among the roles.

Thus, to achieve this , instead of setting indice privilege of .kibana to GeneralUser, I have just tried assigning kibana_user as Run As Privilege but I get search denied error in the audit log. As a result, nothing was returned in discovery.

[2017-01-17T16:11:14,054] [transport] [access_denied] origin_type=[rest], origin_address=[10.1.0.15], principal=[someuser], action=[indices:data/read/search], indices=[.kibana], request=[SearchRequest]

My role definition is below.

Per your explanation, I guess I will need to use the API and force to add .kibana index to each role.


(Yu Watanabe) #4

Found much better way. All I need to do it was just add .kibana and the other role to the user.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.