Role based access

Jason_Zheng · August 5, 2015, 9:48am

Hi All,

I would like to have different privilege for different user in using Kibana, I added user by

$/usr/share/elasticsearch/bin/shield/esusers useradd franky -r kibana4_monitoring -p password

and then modify roles.yml, first I mark indices lines of kibana4 and add kibana4_monitoring as following (each elasticsearch node)

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    '*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    'logstash-*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    'franky-*':
       - indices:read
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

then add franky to group kibana4_monitoring

$/usr/share/elasticsearch/bin/shield/esusers roles franky -a kibana4_monitoring

finally, I modified kibana.yml as following and restart kibana

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

But the user franky still can use logstash-* index to do discover, visualize or dashboard, it seems not correct, I purpose the user franky only can use franky-* index, any one have idea

Jason_Zheng · August 6, 2015, 6:49am

Anyone have idea?

pranavburnwal · August 6, 2015, 9:46am

Hi Jason,

Actually the feature you request is called role based access.
To use you have to create a role for the particular index and then assign franky that role.

Use this link from shield documentation: Here

If you still face problem, reply here.

Pranav

Jason_Zheng · August 7, 2015, 9:12am

Hi Pranav,

I list the user franky privilege

[root@elasticsearch ~]# /usr/share/elasticsearch/bin/shield/esusers list franky
franky         : kibana4_monitoring,kibana4

roles.yml (master and nodes)

kibana4:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    '*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update
      - indices:admin/create
kibana4_server:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

kibana4_monitoring:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
#    'logstash-*':
#      - indices:admin/mappings/fields/get
#      - indices:admin/validate/query
#      - indices:data/read/search
#      - indices:data/read/msearch
#      - indices:admin/get
    'franky-*':
       - indices:read
    '.kibana':
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

then restart elasticsearch service (master and node)

Kibana.yml setting

kibana_elasticsearch_username: franky
kibana_elasticsearch_password: password

But franky still can operate 'logstash-', franky should only operate 'franky-'

My purpose is according to https://www.elastic.co/guide/en/shield/current/kibana.html#using-kibana4-with-shield steps

Jason

pranavburnwal · August 10, 2015, 6:01am

Hey,

So In place of logstash-* you have to replace it with franky-* not comment it.

Jason_Zheng · August 11, 2015, 2:16am

Hi Pranav,

As you said, I did replace logstash-* to franky-*, and restart all services (elasticsearch, kibana), it can be work normally, thanks

I do not understand, why does it not work as following syntax?

'franky-*':
   - indices:read

BTW, when I first time visit kibana, the dialog popup to ask me enter account and password, my question is how to logout kibana with sheild?

Jason

pranavburnwal · August 11, 2015, 4:00am

Hi,

I guess you have not been through all the documentation of shield.

indices:read

is not valid.
Please find the valid cluster and indices action privileges here: Here

skearns · August 11, 2015, 10:30am

Hi Jason,

I'm glad that Pranav's help has things working the way you want (thanks Pranav!)

Today, when using Shield, Kibana will prompt you for your username/password. This uses the browser's built-in HTTP Basic Auth support, which caches your credentials after a successful authentication. For now, the only way to log out is to close the browser.

That said, we are already working on full session support with login/logout, and I believe this is planned for the next version of Kibana: https://github.com/elastic/kibana/issues/3904

Thanks,
Steve

Jason_Zheng · August 17, 2015, 1:54am

Hi Steve,

Thanks for replying,

Another question, (kibana within shield)

User A login Kibana, and create 'logstash-' index pattern
User B login Kibana, and create 'franky-' index pattern

User A allowed to access logstash indices, user B not allowed to access logstash indices, but whatever User A or User B login Kibana, all of index pattern they can see, just only user A can access logstash-, user B cannot use logstash-

Is it possible to get different view (READ ACL) to User A and B

Jason

skearns · August 17, 2015, 12:48pm

Hi Jason,

I'm not sure I understand your question, but I'll try to clarify how things work today. Shield allows you to protect the data-level access at the Elasticsearch layer. Once you have Shield configured, no user will be able to see data from an index they do not have access to.

In Kibana, we do not yet have the ability to isolate individual dashboards/saved searches/visualizations or index mappings, so that all users will be able to see that they exist but with Shield, they will not be able to actually see any data they shouldn't.

We are planning to allow Kibana to protect individual objects, but this is something we're still working on.

I hope that helps.

Thanks,
Steve