Read only user setup

rawill · May 12, 2015, 11:20pm

I'm attempting to setup a read only user, but keep running into this error: Error: Unable to check for Kibana index ".kibana". When attempting to use these read only userids with Kibana. Userids that I have associated with admin and power_user work fine via Kibana. I'm not sure where the config issue is. I appeal to the wisdom of the forum for direction.

Here are my user settings.

roles.yml - default except for this entries that don't seem to work.

Read-only operations on indices

user:
indices:
'*': read

reader_role:
cluster : all
indices:
'*': get, read

Showing that I have two users associated with those roles
[root@vm10178 shield]# /usr/share/elasticsearch/bin/shield/esusers list | grep reader
reader : user
reader2 : reader_role

Showing that the userids work via curl.
[root@vm10178 shield]# curl --user reader:reader localhost:9200/_count?pretty=true
{
"count" : 114351190,
"_shards" : {
"total" : 66,
"successful" : 66,
"failed" : 0
}
}
[root@vm10178 shield]# curl --user reader2:reader localhost:9200/_count?pretty=true
{
"count" : 114353843,
"_shards" : {
"total" : 66,
"successful" : 66,
"failed" : 0
}
}

rashid · May 13, 2015, 2:36pm

Its probably the missing admin/exists permission that is causing that specific error, but you may want to base your new role on the existing kibana4 role, with the write permissions removed from .kibana, otherwise you're going to run into other issues. You'll also need to start/use kibana for a bit as an admin to get all of the necessary .kibana docs created before rolling out to read only users.

Existing role for reference:

kibana4:
  cluster: 
      - cluster:monitor/nodes/info
      - cluster:monitor/health 
  indices:
    '*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get 
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

rawill · May 13, 2015, 8:20pm

That got me pointed in the right direction. Ended up basically giving every read permission to the role for both the index that I wanted it to see and to the .kibana index. I wish there was a document that better explained the permissions in shield.
I'm sure I can remove some of these, but that will take some time to figure out.

What my role looks like now:

'logstash-*':
- indices:admin/exists
- indices:admin/get
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/count
- indices:data/read/exists
- indices:data/read/explain
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/mlt
- indices:data/read/mpercolate
- indices:data/read/msearch
- indices:data/read/mtv
- indices:data/read/percolate
- indices:data/read/script/get
- indices:data/read/scroll
- indices:data/read/scroll/clear
- indices:data/read/search
- indices:data/read/suggest
- indices:data/read/tv
'.kibana':
- indices:admin/get
- indices:admin/exists
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/count
- indices:data/read/exists
- indices:data/read/explain
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/mlt
- indices:data/read/mpercolate
- indices:data/read/msearch
- indices:data/read/mtv
- indices:data/read/percolate
- indices:data/read/script/get
- indices:data/read/scroll
- indices:data/read/scroll/clear
- indices:data/read/search
- indices:data/read/suggest
- indices:data/read/tv