I have just upgraded my cluster to 2.4.0 including Shield and the installation created a new copy of the roles.yml file that looks different to the old one in both format and content.
Here is the compete file with out any modifications:
# All cluster rights
# All operations on all indices
admin:
cluster:
- all
indices:
- names: '*'
privileges:
- all
# monitoring cluster privileges
# All operations on all indices
power_user:
cluster:
- monitor
indices:
- names: '*'
privileges:
- all
# Read-only operations on indices
user:
indices:
- names: '*'
privileges:
- read
# Defines the required permissions for transport clients
transport_client:
cluster:
- transport_client
# The required permissions for the kibana 4 server
kibana4_server:
cluster:
- monitor
indices:
- names: '.kibana*'
privileges:
- all
- names: '.reporting-*'
privileges:
- all
# The required role for logstash users
logstash:
cluster:
- manage_index_templates
indices:
- names: 'logstash-*'
privileges:
- write
- read
- create_index
# Marvel user role. Assign to marvel users.
marvel_user:
indices:
- names: '.marvel-es-*'
privileges: [ "read" ]
- names: '.kibana'
privileges:
- view_index_metadata
- read
# Marvel remote agent role. Assign to the agent user on the remote marvel cluster
# to which the marvel agent will export all its data
remote_marvel_agent:
cluster: [ "manage_index_templates" ]
indices:
- names: '.marvel-es-*'
privileges: [ "all" ]
In the Shield 2.2.0 version there was a role named kibana4 that is missing from the 2.4.0 file:
# The required permissions for kibana 4 users.
kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
privileges: indices:admin/mappings/fields/get, indices:admin/validate/query, indices:data/read/search, indices:data/read/msearch, indices:data/read/field_stats, indices:admin/get
'.kibana':
privileges: indices:admin/exists, indices:admin/mapping/put, indices:admin/mappings/fields/get, indices:admin/refresh, indices:admin/validate/query, indices:data/read/get, indices:data/read/mget, indices:data/read/search, indices:data/write/delete, indices:data/write/index, indices:data/write/update
Could someone confirm if this is an oversight and the kibana4 role should be present in the 2.4.0 file and if so does it need to be converted to the new format?