Role to use grok debugger, and console granular access control

We are using Shield (Security) and created some power user accounts. They have the following roles assigned:
kibana_user
monitoring_user
reporting_user
logstash_admin
read_all
Those are all built in roles from https://www.elastic.co/guide/en/x-pack/6.x/built-in-roles.html except for read_all, which gives them read on all indices. (It's their data, anyway; We separate clients by cluster.)
Things basically work fine, except for two small issues:

  1. They cannot use the Grok Debugger. We have xpack.grokdebugger.enabled (https://www.elastic.co/guide/en/kibana/current/dev-settings-kb.html), however, it worked for them only when we gave them superuser (which we had to take away again). I'm not sure why this isn't allowed for lesser beings. (It's not a blocker since they can still use online tools - but that's not what you built the grok debugger for, is it.)
  2. We cannot control who's allowed to use the console and who isn't per Shield user - only per Kibana instance (console.enabled, https://www.elastic.co/guide/en/kibana/current/settings.html), and we currrently have only one. It would be cool if this could be controlled by role. Again, it's not deadly.

Are there any plans to make the grok debugger accessible for non superuser? Or to control access to both grokk debugger and console via roles?

Hi,

The grok_debugger is using elasticsearch's simulate API -
the permissions you'd need would look something like

. You could then add that role to anyone using the grok debugger. Note that "manage" allows all CRUD operations on pipelines, so it may not be an option.

Thumbs up on disabling apps per user. There are thoughts for more access control in Kibana but it's likely a ways out.

1 Like

Thanks, that works! The background information is also helpful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.