Role Management - Access to 1 index only

tiagoverissimo · May 29, 2018, 10:55pm

Hello,

I'm using Elastic in a PoC and we are tying the 14-day period of X-Pack. One thing that we want to test is the ability to create users/roles and give them access only to the one index, for example.

But I'm facing an issue:

I'm creating a role with no cluster privileges, access to only 1 index with all privileges to that specific index;
I create an user called testing with that role only;
When I try to login, I'm having the following error:

Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user [testing]: [security_exception] action [indices:data/write/update] is unauthorized for user [testing]

Now - If I add the kibana_user role I'm able to see all the index that exists on the cluster.

Thanks in advance!

KR

Yogesh_Gaikwad · May 30, 2018, 1:41am

Hi @tiagoverissimo,

Could you please show us the config or output of GET /_xpack/security/role/<rolename> for the role that you created?

Regards,
Yogesh Gaikwad

Christian_Dahlqvist · May 30, 2018, 4:29am

You should be able to query the index if you access Elasticsearch directly through the APIs. If you however want to access the data through Kibana the user also need access to the privileges the kibana_user role provides.

tiagoverissimo · May 30, 2018, 7:39am

Here it is:

{ 
"testing": {
"cluster": [],
"indices": [
  {
    "names": [
      "demo*"
    ],
    "privileges": [
      "all"
    ]
  }
],
"run_as": [],
"metadata": {},
"transient_metadata": {
  "enabled": true
}
}
}

Thanks!

tiagoverissimo · May 30, 2018, 7:40am

Hello!

Yeah - I want the user to access through Kibana but with the ability to check only the index that is allowed. Is this possible?

Thanks

TimV · May 30, 2018, 8:04am

The objects that Kibana manages - visualisations, dashboard, index-patterns, etc - are stored in an index in Elasticsearch. You cannot use Kibana unless you have access to that index.

The kibana_user role is a predefined role that grants the necessarily permissions to that index, and nothing else.

When you grant that role to the test user, what behaviour are you seeing that is a problem for you?

tiagoverissimo · May 30, 2018, 8:06am

Hello Tim!

Thanks for you answer. Now it is a bit more clear.
The issue is that I just want that one type of users see one index only - but able to create visualizations on it.

I'm not sure was clear enough, please let me know.

TimV · May 30, 2018, 8:48am

I just want that one type of users see one index only

Ok, but please answer the question I asked:

what behaviour are you seeing that is a problem for you?

tiagoverissimo · May 30, 2018, 9:16am

When I assignate the kibana_user role to the user I'm able to login and see all the dashboards, visualizations and indexes - all of them.

My goal is allow that user to check and see only the index that I assigned it.

Thanks!

system · June 27, 2018, 9:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.