Role based access

security

(Jason Zheng) #1

Hi All,

I would like to have different privilege for different user in using Kibana, I added user by

$/usr/share/elasticsearch/bin/shield/esusers useradd franky -r kibana4_monitoring -p password

and then modify roles.yml, first I mark indices lines of kibana4 and add kibana4_monitoring as following (each elasticsearch node)

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    '*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    'logstash-*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    'franky-*':
       - indices:read
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

then add franky to group kibana4_monitoring

$/usr/share/elasticsearch/bin/shield/esusers roles franky -a kibana4_monitoring

finally, I modified kibana.yml as following and restart kibana

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

But the user franky still can use logstash-* index to do discover, visualize or dashboard, it seems not correct, I purpose the user franky only can use franky-* index, any one have idea


(Jason Zheng) #2

Anyone have idea?


(Pranav K Burnwal) #3

Hi Jason,

Actually the feature you request is called role based access.
To use you have to create a role for the particular index and then assign franky that role.

Use this link from shield documentation: Here

If you still face problem, reply here. :thumbsup:

Pranav


(Jason Zheng) #5

Hi Pranav,

I list the user franky privilege

[root@elasticsearch ~]# /usr/share/elasticsearch/bin/shield/esusers list franky
franky         : kibana4_monitoring,kibana4

roles.yml (master and nodes)

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    '*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create
kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    'logstash-*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    'franky-*':
       - indices:read
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

then restart elasticsearch service (master and node)

Kibana.yml setting

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

But franky still can operate 'logstash-', franky should only operate 'franky-'

My purpose is according to https://www.elastic.co/guide/en/shield/current/kibana.html#using-kibana4-with-shield steps

Jason


(Pranav K Burnwal) #6

Hey,

So In place of logstash-* you have to replace it with franky-* not comment it.


(Jason Zheng) #7

Hi Pranav,

As you said, I did replace logstash-* to franky-*, and restart all services (elasticsearch, kibana), it can be work normally, thanks

I do not understand, why does it not work as following syntax?

'franky-*':
   - indices:read

BTW, when I first time visit kibana, the dialog popup to ask me enter account and password, my question is how to logout kibana with sheild?

Jason


(Pranav K Burnwal) #8

Hi,

I guess you have not been through all the documentation of shield.

indices:read

is not valid.
Please find the valid cluster and indices action privileges here: Here


(Steve Kearns) #9

Hi Jason,

I'm glad that Pranav's help has things working the way you want (thanks Pranav!)

Today, when using Shield, Kibana will prompt you for your username/password. This uses the browser's built-in HTTP Basic Auth support, which caches your credentials after a successful authentication. For now, the only way to log out is to close the browser.

That said, we are already working on full session support with login/logout, and I believe this is planned for the next version of Kibana: https://github.com/elastic/kibana/issues/3904

Thanks,
Steve


(Jason Zheng) #10

Hi Steve,

Thanks for replying,

Another question, (kibana within shield)

User A login Kibana, and create 'logstash-' index pattern
User B login Kibana, and create 'franky-
' index pattern

User A allowed to access logstash indices, user B not allowed to access logstash indices, but whatever User A or User B login Kibana, all of index pattern they can see, just only user A can access logstash-, user B cannot use logstash-

Is it possible to get different view (READ ACL) to User A and B

Jason


(Steve Kearns) #11

Hi Jason,

I'm not sure I understand your question, but I'll try to clarify how things work today. Shield allows you to protect the data-level access at the Elasticsearch layer. Once you have Shield configured, no user will be able to see data from an index they do not have access to.

In Kibana, we do not yet have the ability to isolate individual dashboards/saved searches/visualizations or index mappings, so that all users will be able to see that they exist but with Shield, they will not be able to actually see any data they shouldn't.

We are planning to allow Kibana to protect individual objects, but this is something we're still working on.

I hope that helps.

Thanks,
Steve


(system) #12