I've had advice on and seen postings that list different sets of privileges for the average kibana end-user but we're still getting errors which I'm sure are related to an incorrect set of privileges.
https://www.elastic.co/guide/en/shield/current/defining-roles.html states:
# Only read operations on indices named events_*
events_user:
indices:
'events_*':
privileges: read
https://www.elastic.co/guide/en/shield/current/_granting_privileges_for_specific_actions.html lists privileges for specific index actions.
https://www.elastic.co/guide/en/shield/current/kibana.html lists the privileges for a kibana user as a list of those actions.
What is the 'best' set for the following (I think obvious) use-case for a new non-admin kibana user to have granted to them:
- Login (to Discover page)
- Navigate to the Dashboard page
- Open a pre-made dashboard with a set of visualizations based on their index-pattern
- Create, edit and delete visualizations based on their index-pattern
Is this correct:
my_user:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'my_users_indices-*':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get
'.kibana':
- indices:admin/create
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/search
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update