Read- only access to index


#1

I want give read-only access to an index for a local user, in kibana.

Here is role assigned:

bash-4.1$ esusers list
esuser : read_all_indices

roles.yml:

Read-only operations on indices

read_all_indices:
indices:
'*':
privileges: read
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update

I'm getting the below error:

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [esuser]

shouldn't privilege: read be inclusive of data/read/mget? I have tried including that privilege as well.
I still get the same error .

What am I missing here?


(Lee Drengenberg) #2

Some things around privileges have been changing. What version of Elasticsearch and Kibana are you using?


#3

Shield 2.2.0
Elasticsearch 2.2.0
Kibana 4.4.1


(Lee Drengenberg) #4

Kibana never writes to the data indexes (like logstash-* for example). So I think what you want is for a readonly user (with a readonly role) to Not be allowed to create/update/delete index patterns, saved searches, visualizations, or dashboards. Those things are all in the .kibana index, so below I've ONLY changed the privileges for the .kibana index.

That way they can Read everything and run queries, even create new visualizations and dashboards (on any existing index pattern) but not save any changes.

If that's correct, in this example below I

readonly:
      cluster: 
          - cluster:monitor/nodes/info
          - cluster:monitor/health 
      indices:
        '*':
          privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
        '.kibana':
          privileges: indices:admin/exists,                            indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search

I removed these privs;

  • indices:admin/mapping/put,
  • indices:data/write/delete
  • indices:data/write/index
  • indices:data/write/update

Or did you only want the user to not be able to change the index pattern but still be able to create/modify/save Saved searches, Visualizations, and Dashboards?

Regards,
Lee


#5

Lee,

I used the privs in the example. I still get this error.

Courier Fetch Error: unhandled courier request error: [security_exception] action [indices:data/read/mget] is unauthorized for user [esuser]


(Lee Drengenberg) #6

Are you using both the Elasticsearch Shield x-plugin and the Kibana Shield plugin which gives you the login screen on Kibana?

Or are you only using the Elasticsearch Shield plugin which gives you the browser pop-up login dialog?

If you're only using the Elasticsearch Shield plugin, and you make any typos on the user or password, I believe you get that mget security exception (I know because I accidentally called my user readyonly instead of readonly).

If you know you have the correct user and password and are still getting the mget security exception I would revert back to the original user permissions and make sure it works, and then remove those 4 privileges I noted above, one at a time, log out and back in. If you're watching the Elasticsearch log when you save the roles.yml file you should see a message indicating the roles were updated;

updated roles (roles file [D:\k4.4-es2.2-final\elasticsearch-2.2.0\config\shield\roles.yml] changed)


(system) #7