Role based access control

I'm trying to setup role based access control. I define a security_engineer role and a security_engineer space for the security engineers that needs read only access.

I'm on elasticsearch version 7.5.0 with security enabled (basic license)

I define the role as

  curl -v -k -u <usename>:<password> -XPUT -H "kbn-xsrf: true" -H "Content-Type: application/json"  "http://127.0.0.1:5601/api/security/role/security_engineer" -d '
   {     
      "elasticsearch": {
         "cluster" : [ "all" ],
         "indices" : [ {
           "names" : [ "wazuh*", "phoenix*" ],
           "privileges" : [ "read" ]      
         } ]
       },
       "kibana": [
            {
                "base": [],
                "feature": {
                   "discover": ["read"],
                   "dashboard": ["read"],
                   "siem" : ["read"],
                   "wazuh": ["read"]
                 },
                "spaces": [
                   "security_engineer"
                 ]
            }
       ]
   }'

And I assign this role to a specific security engineer.

They indeed only see the features for discover, dashboard,siem and wazuh.

but they can also get to the settings.

so once they login they can just assign themselves the superuser role

That is obviously not the idea. So I must be doing something really stupid.

The question are:

  • where do I enforce that a user cannot change it's own security roles.
  • how can I disable the settings feature?

I actually go in to kibana and do it. do not know how to do it via command line

create a space called secutiry_engineer

then on roles there is a last thing called Add space privilege

add secutiry_engineer (space) and limit them to see feature.
now they can't go to setting anymore

Thanks Sachin,
That's what I was expecting as well.
Although I have a space defined, it still shows me the settings

Not sure what happened. But it seems to be running now.

I did notice in the documentation

https://www.elastic.co/guide/en/kibana/current/xpack-security.html

Managing roles that grant Kibana privileges using the Elasticsearch role management APIs is not supported. Doing so will likely cause Kibana’s authorization to behave unexpectedly.

Maybe that is what was my issue. Not sure what that statement means exactly. Are the elastic roles visible in kibana? How do I keep one seperate from the other.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.