I have encountered an issue with certain pre-built dashboards in our system. These dashboards are failing to load for any users except the superuser. I have verified that all the required permissions are correctly assigned to the affected users, but the problem persists.
One surprising aspect of this issue is that it appears certain dashboards require index pattern update permissions. This raises concerns about violating the principle of least privileges since index pattern updates are typically not necessary for regular users.
Please refer to the attached screenshot for a visual representation of the error. The affected users see an empty or partially loaded dashboard instead of the expected content.
I kindly request any insights or suggestions on how to resolve this problem. Your assistance in resolving this issue would be greatly appreciated.
Steps to reproduce:
Create a new user and assign them all necessary permissions, except for index management where the space permission should be set as "read-only".
Log in to Kibana using the newly created user credentials.
Navigate to the pre-built dashboards, such as "ML HTTP Access: Explorer (ECS)" or "[Metricbeat System] Host overview ECS".
Observe that several visualizations within these dashboards display an error, indicating an issue with loading or rendering the data.
The expected behavior is that pre-built dashboards should not require index pattern update permissions to be viewed. This expectation aligns with the principle of least privilege, where regular users should have the necessary permissions to access and view the pre-built dashboards without the need for elevated privileges related to index pattern updates. By removing the dependency on index pattern update permissions, regular users can experience a streamlined and secure access to the dashboards, ensuring that their access privileges are limited to what is strictly necessary for viewing the content.
Thank you, @Stratoula_Kalafateli. I'm currently using ELK version 7.9.2, which I understand is a somewhat older version. Unfortunately, due to certain internal dependencies, we are unable to perform an upgrade at this time. I've gone ahead and created a role in Kibana and assigned it to multiple users, but all of them are encountering the same issues. Below, you can find the configuration details for these roles.
The role configurations are accurate; however, for Space privileges, I have only granted 'Read' access to specific tabs while setting 'None' for all others. Initially, this setup was effective for us, but it intermittently encounters issues. Interestingly, granting admin access to the user seems to resolve the problem.
Do you happen to know why certain dashboards necessitate index update permissions, as it appears that a particular API is experiencing disruptions?
It's concerning that certain pre-built dashboards seem to require index pattern update permissions, potentially violating the principle of least privilege. This issue not only impacts user experience but also raises questions about security and access control. Resolving this matter promptly is crucial for maintaining a secure and user-friendly system. AC Football Cases
@Ankur_Mahajan Have you tried loading the dashboard with the regular user after its been loaded by the superuser? There are some cases where the index pattern needs to be updated. It will update automatically when the dashboard is viewed by a user with index pattern update privileges and then work with users who lack that privilege. Perhaps you've already done this but its still best for me to verify.
@mattkime, certainly, I will upload the information you've requested. Additionally, I had previously submitted an issue on Github some time ago, but it appears to have been closed, though I'm unsure of the details.
Yes, I've tested that approach, and it works well. After logging in with the admin user initially, I can log out and subsequently log in with the least privileged user. However, it's worth noting that this behavior shouldn't occur, as we should be able to directly login with low-privileged users without this workaround.
I have included the console logs from my browser for your reference. Hopefully, they will provide more information about the issue. Please let me know if you require any further details.
@Ankur_Mahajan In Kibana <7.11, the field list is saved to the saved object. Without saving the field list to the saved object, there's no field list and the index pattern isn't useful. Yes, this does require permissions to edit the index pattern. This has been fixed in 7.11 and greater via [Index patterns] Remove field cache by mattkime · Pull Request #82223 · elastic/kibana · GitHub - the field list is no longer saved with the index pattern, therefore there's no need for a full privileged to use the index pattern before less privileged users.