Time Picker issue in Kibana with Shield

security

(Krishna Chaitanya) #1

I created 1 admin(File realm), 2 users (Native realm) using Shield.

Admin created with esusers -r admin command (so, all indices, all privileges)
User1 has "all privileges" to 3 indices in the cluster.
User2 has "all privileges" to 5 indices in the cluster (with field level security)

I could execute queries on ES side, without any issues. I configured Kibana with link provided in docs here.

But, when I login using the user credentials (either User1 or User2), I could not see "Time Picker" on the top-right hand corner of the Kibana Dashboard. If I login as Admin, I can see that. I would like to have this Time Picker in Kibana even for native users. Please help me out.


(Steve Kearns) #2

Which version(s) are you using?


(Krishna Chaitanya) #3

Kibana 4.6
ES 2.4
Shield 2.4


(Steve Kearns) #4

Thanks! Each of the users will need "kibana user" privileges, which grant them access to the .kibana index, and cluster monitoring.

Here's an example kibana_user role derived from here:

kibana_user:
  cluster:
      - monitor
  indices:
    - names: '.kibana*' 
      privileges:
        - manage
        - read
        - index

If you create this role and assign it to those two users, I expect that Kibana will begin working as expected. tbh, I haven't heard of the time picker not showing up, but I'm imagining it's related.


(Krishna Chaitanya) #5

Yes. I have given the privileges to both the users to access .kibana index. Otherwise, I was not even able to open the Kibana dashboard using these user credentials.

I created 2 roles Role1, Role2 and assigned Role1 to User1 and Role2 to User2. Below are the commands:

curl -u admin  -XPOST 'http://localhost:9200/_shield/role/role1' -d'
{
  "cluster": ["all"],
  "indices": [
     {
        "names:" [<some indices>, .kibana*]
        "privileges:" ["all"]
     }
   ]
}'

curl -u admin  -XPOST 'http://localhost:9200/_shield/role/role2' -d'
{
  "cluster": ["all"],
  "indices": [
     {
        "names:" [<some other indices>, .kibana*]
        "privileges:" ["all"]
        "fields": [<some fields including @timestamp field>]
     }
   ]
}'

I can see the entire Kibana Dashboard exactly as I want based on the user roles I created. But, the only problem is, for these users, I cannot see the TimePicker on top-right hand corner. If I login as admin, I can see TimePicker.

This admin user is created in File realm (esusers -r admin), where as users are created in Native Realm. I also gave following configuration in elasticsearch.yaml:

shield:
  authc:
    realms:
      native:
        type: native
        order: 0
      file:
        type: file
        order: 1

(Harsh Jain) #6

Have you installed Kibana in the /opt/kibana/installedPlugins directory yet? I believe I ran into something similar.

If you're using Shield, see step 6 here: https://www.elastic.co/guide/en/shield/current/kibana.html


(Krishna Chaitanya) #7

I haven't done that, but the problem seems to be solved. I cannot reproduce the issue now. All I did was I deleted all the indices, including .kibana index, and restarted Kibana. I think the problem might be with .kibana index caching some data, and I have been managing lots of user roles, users, performing snapshots and restore.

I will keep your suggestion in mind, and if I come to this issue again, I will give a try with Step 6 from your link.


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.