Hello @Yang_Wang and @wa7son, thank you for your attention to this topic. We run several elastic instances hosted by elastic.co
What we are trying to achieve is to leverage Kibana dashboards (hosted by elastic.co) as embedded components in our solution. As such the (statically defined) Kibana user and roles are to be restricted for the current session to the subset of documents that this session is supposed to have access. We are following the ABAC authorization approach to do so as Bikram explained.
What we really would like to do is to create a (time-limited) user session token with the attribute constraints and place that token into the user's browser. For this we would need an API call to create this user token, which as @wa7son said, is not publicly available.
The alternative seemed to be to create an api key, which as the kibana documentation says at API Keys | Kibana Guide [master] | Elastic are "secondary credentials so that you can send requests on behalf of a user. Secondary credentials have the same or lower access rights"
Sounds exactly what we need, a derivative of our user credential that
- has our ABAC attributes / constrained
- is time limited / needs to be refreshed
If API keys are deprecated then I think this should be on the documentation page above. What is the replacement mechanism. Knowing this is fairly important to us as we are basing future development and use of elastic.co on this functionality.
Thank you for your help and guidance.