What is the best set of privileges for non-admin kibana user?

security

(Craig Foote) #1

I've had advice on and seen postings that list different sets of privileges for the average kibana end-user but we're still getting errors which I'm sure are related to an incorrect set of privileges.

https://www.elastic.co/guide/en/shield/current/defining-roles.html states:

# Only read operations on indices named events_*
events_user:
  indices:
    'events_*':
      privileges: read

https://www.elastic.co/guide/en/shield/current/_granting_privileges_for_specific_actions.html lists privileges for specific index actions.

https://www.elastic.co/guide/en/shield/current/kibana.html lists the privileges for a kibana user as a list of those actions.

What is the 'best' set for the following (I think obvious) use-case for a new non-admin kibana user to have granted to them:

  • Login (to Discover page)
  • Navigate to the Dashboard page
  • Open a pre-made dashboard with a set of visualizations based on their index-pattern
  • Create, edit and delete visualizations based on their index-pattern

Is this correct:

my_user:
  cluster:
      - cluster:monitor/nodes/info
      - cluster:monitor/health
  indices:
    'my_users_indices-*':
      - indices:admin/mappings/fields/get
      - indices:admin/validate/query
      - indices:data/read/search
      - indices:data/read/msearch
      - indices:admin/get
    '.kibana': 
      - indices:admin/create
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

(system) #2