Shield - The user can see everyhting?

security

(Veve90) #1

Hello,

I need some help with Shield configuration..

Firstly I installed ELK and it worked perfectly. Then I wanted to add Shield. I created the roles, and 2 users that I wanted for Kibana. One that should have access to everything and one to only part of indices.

However, the one that should have access only to one part of the indices is visualizing everything and I wonder if this isn't because in the kibana.yml I have

kibana_elasticsearch_username: kibana4-user
kibana_elasticsearch_password: kibana4-password

as it was suggested in the tutorial : https://www.elastic.co/guide/en/kibana/current/production.html

...

Thank you!


(Mark Walkom) #2

Can you provide more details around the users you created and the roles?


(Steve Kearns) #3

In this case, it looks like you will need 3 shield users.

User 1: The user for the Kibana server. This user must be granted only the kibana4_server role, and should be the user you configure in the kibana.yml. This user will perform administrative tasks on behalf of the Kibana server.
User 2: This is the user that should have read access to all indices. Grant this user the kibana4 user role (which by default, has read access to all indices)
User 3: This is the user that should have read access to some but not all indices. For this user, create a new role, based on the kibana4 role, but instead of granting access to * in the role, change that to reference only the specific indices you want this user to see.

Note that you will have to make sure that the users, roles and user role mapping files are in sync (identical) on all nodes in your Elasticsearch cluster. This will get easier in an upcoming release, where we will add a new configuration API that will automatically sync across the cluster. However, for now, you will need to keep these files in sync manually (or preferably with automation tools).

Thanks
Steve


(Veve90) #4

I have looked for hours,
the mistake was that I created the 2 users but I gave to both of them the role admin...
In order to check what roles you have a assigned to a user: bin/shield/esusers list


(system) #5