Secure access to dashboards

zeenon · October 31, 2017, 11:20am

We want to secure our dashboards and allow some users only to visualize dashboards: no modification, no save, no upgrade.
I understand that I have to create a dedicated role but it does not work:

{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": [ ".kibana*" ],
      "privileges": ["read"]
    },
    {
      "names": [ ".reporting*" ],
      "privileges": ["all"]
    }
  ]
}

With this configuration of "read" to indice ".kibana", I have a blank page.
With "all" to indice ".kibana", I can modify and delete dashboards.
How to setup the profile ?
thanks for your tips,

a5a · October 31, 2017, 3:20pm

Hi zeenon,

This user also needs read access to the indices that are associated with those dashboards. Have you granted access to those indices that contain data for those dashboards?

Thanks,
Archana (a5a)

zeenon · October 31, 2017, 4:05pm

thanks for your answer. I have read access

{
  "cluster": ["monitor"],
  "indices": [
    {
      "names": [ "idx_zzit_wapi*", "aliaszzit_wapi*" ],
      "privileges": ["read"]
    }
  ]
}

a simple substitution of "read" by "all" for .kibana indice gives me all access but it is too much

a5a · October 31, 2017, 5:54pm

Hi zeenon,

Apologies, I see what you're doing now. You're a great candidate for our new feature in 6.0, dashboard-only mode, which allows you a first-class way to grant read-only access to kibana saved objects. Check it out here: https://www.elastic.co/blog/kibana-dashboard-only-mode

In your case, though, you can still do it, but it's not as pretty. It requires setting an additional privilege for this user on .kibana. So in addition to read, you also need view_index_metadata.

Now the way it works is, this user can still see the dashboard edit button and can attempt to add visualizations and change the dashboard options, but upon clicking save, the user will meet with "action [indices:data/write/index] is unauthorized for user [xyz]" and be unable to save the changes.

I hope that helps!

Archana (a5a)

cedric1 · November 2, 2017, 7:26pm

Thank you for answer Archana,

Could you please tell me if this new dashboard only mode will be available/usable even if we don't have XPack security installed?

a5a · November 3, 2017, 7:40pm

Hi cedric1~

It does require X-Pack Security. I'm looking into updating that blog post to be more informative about that. Could be misleading otherwise.

-Archana

system · December 1, 2017, 7:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.