Role Management - Access to 1 index only


(TIAGO VERISSIMO) #1

Hello,

I'm using Elastic in a PoC and we are tying the 14-day period of X-Pack. One thing that we want to test is the ability to create users/roles and give them access only to the one index, for example.

But I'm facing an issue:

  • I'm creating a role with no cluster privileges, access to only 1 index with all privileges to that specific index;
  • I create an user called testing with that role only;
  • When I try to login, I'm having the following error:

Error 403 Forbidden: action [indices:data/write/update] is unauthorized for user [testing]: [security_exception] action [indices:data/write/update] is unauthorized for user [testing]

Now - If I add the kibana_user role I'm able to see all the index that exists on the cluster.

Thanks in advance! :slight_smile:

KR


(Yogesh Gaikwad) #2

Hi @tiagoverissimo,

Could you please show us the config or output of GET /_xpack/security/role/<rolename> for the role that you created?

Regards,
Yogesh Gaikwad


(Christian Dahlqvist) #3

You should be able to query the index if you access Elasticsearch directly through the APIs. If you however want to access the data through Kibana the user also need access to the privileges the kibana_user role provides.


(TIAGO VERISSIMO) #4

Here it is:

{ 
"testing": {
"cluster": [],
"indices": [
  {
    "names": [
      "demo*"
    ],
    "privileges": [
      "all"
    ]
  }
],
"run_as": [],
"metadata": {},
"transient_metadata": {
  "enabled": true
}
}
}

Thanks! :smiley:


(TIAGO VERISSIMO) #5

Hello!

Yeah - I want the user to access through Kibana but with the ability to check only the index that is allowed. Is this possible?

Thanks :slight_smile:


(Tim Vernum) #6

The objects that Kibana manages - visualisations, dashboard, index-patterns, etc - are stored in an index in Elasticsearch. You cannot use Kibana unless you have access to that index.

The kibana_user role is a predefined role that grants the necessarily permissions to that index, and nothing else.

When you grant that role to the test user, what behaviour are you seeing that is a problem for you?


(TIAGO VERISSIMO) #7

Hello Tim!

Thanks for you answer. Now it is a bit more clear.
The issue is that I just want that one type of users see one index only - but able to create visualizations on it.

I'm not sure was clear enough, please let me know.


(Tim Vernum) #8

I just want that one type of users see one index only

Ok, but please answer the question I asked:

  • what behaviour are you seeing that is a problem for you?

(TIAGO VERISSIMO) #9

When I assignate the kibana_user role to the user I'm able to login and see all the dashboards, visualizations and indexes - all of them.

My goal is allow that user to check and see only the index that I assigned it.

Thanks!


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.