How do you implement superuser access to every Space for any users that need that level of access? For example, in a deployment utilizing SAML for access a user has superuser privileges in one Space to manage everything but when they change Spaces to make edits they have limited privileges even though they should be a superuser. Overall, we need a way to have out Elastic admins go into any space and have superuser privileges within each one. At this time the way things are setup that isn't happening.
Hi @Ryan_Downey
You'll have to show us how you set it up and what the results are.
When I log into the different Space called "Cloud Users" and look in the upper right hand corner it has my name and email address, Ryan@it.com, and that user should have superuser privileges. Since we also have SAML built in the role mappings should also provide Ryan@it.com with superuser privileges. Yet, when I go into the Cloud Users space --> Alerts --> Manage Rules, there are rules created by other users that I can't edit. This is the SAML role_mapping.
{
"saml1_admins": {
"enabled": true,
"roles": [
"superuser"
],
"rules": {
"all": [
{
"field": {
"realm.name": "saml1"
}
},
{
"field": {
"groups": "kibana_group"
}
},
{
"field": {
"username": [
"Ryan@it.com"
]
}
}
]
},
"metadata": {}
}
}
A user called Ryan with the superuser role was also created but that doesn't seem to have helped at all either.
Go To Kibana Dev Tools, Logged in as you are, In the Space you are and run
GET /_security/user/_privileges
See what privileges you really have
It looks to be close to superuser, if not the actual privileges for superuser:
{
"cluster": [
"all"
],
"global": [],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
},
{
"names": [
"*"
],
"privileges": [
"monitor",
"read",
"read_cross_cluster",
"view_index_metadata"
],
"allow_restricted_indices": true
}
],
"applications": [
{
"application": "*",
"privileges": [
"*"
],
"resources": [
"*"
]
}
],
"run_as": [
"*"
],
"remote_indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"allow_restricted_indices": false,
"clusters": [
"*"
]
},
{
"names": [
"*"
],
"privileges": [
"monitor",
"read",
"read_cross_cluster",
"view_index_metadata"
],
"allow_restricted_indices": true,
"clusters": [
"*"
]
}
]
}
Hmmmm interesting... I don't have an answer for you right now.
Alerts are "Space Aware" so I am curious if those were created in another space.
Also do you see the "Read Only" Icon (looks like a pair of glasses) on the Kibana Screen somewhere top right?
I would have to try to reproduce, which I don't have the time for right this minute.
Since you are a Elastic Cloud customer you could open a support ticket and ask, give as much detail as you can.
Can you provide a Screenshot of the "I can't edit"
I can work on getting more details to you through the support team. I'll try to get it in by EOD today and use the internal channels so you are notified when I send it in. Appreciate the help. Edit: I also talked to one of my colleagues and he mentioned some other things to check so I will implement those suggestions and pass the results along.
Hi @Ryan_Downey Just to set expectations and To be clear, I am not Support (Elastic Product Support through your Subscription), so I will not be part of that, nor will I work on your support ticket.
This is the community forum, which is completely separate, I am an Elastic Staff, but I only "Volunteer" here.
Happy to help where I can, but Internal Elastic Support will not be reaching out to me.
2 Likes
Aaahhh, got it. Appreciate the clarification.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.