Hi,
I have enabled security in elasticsearch and kibana.
I have created a user with only the built-in kibana_user role assigned to it.
It seems this user can create other users and assign whatever role he wants to them, also edit its own user roles like for example add the superuser role... this can't be normal?
Elasticsearch version 6.8.1
Kibana runs on one of the master nodes
Hi @gregorys,
It is best if you create your own role with the privileges you want, check out the following, it will explain kibana_user role access:
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/built-in-roles.html
Thanks,
Liza
Hey,
The problem remains.
I have created a role with these privileges:
cluster: manage_index_templates, monitor
index: dev-*: all privileges
kibana spaces: none
This user is able to logon and create users, assign any role (including superuser) to users,...
@Brandon_Kobel can you help give more details on how to setup a user role with more restricted access?
I was able to reproduce this on our staging environment, running 7.2.
This occurs when anonymous access has been enabled in Elasticsearch.
xpack.security.authc:
anonymous:
roles: superuser
authz_exception: true
Apparently, when this is enabled, the user that is authenticating in Kibana also gets assigned the role that has been set for the anonymous user.
Is this expected behaviour...?
Hey @gregorys, it's "expected" in that it's a known bug we need to fix. https://github.com/elastic/kibana/issues/35613 discusses some aspects of the current behavior, and why Kibana does what it does. Elasticsearch treats the anonymous user as the set of privileges that all users are granted. For example, if you enable the anonymous user in Elasticsearch and then you authenticate and provide the credentials for a user with no roles, they'll get the privileges of the anonymous user. The only way to overcome this behavior is to no longer use the anonymous user in Elasticsearch.
Ideally, would Kibana no longer require the end-user to login in your situation and automatically allow them to be authenticated as the anonymous user?
Thanks for the clarification.
The anonymous access in our situation is just for a temporary period, to allow all integrations to add security to the elasticsearch output.
I'll create a new role with more strict permissions, and assign this role for anonymous access.
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.