Why can kibana_dashboard_only_user hide navigation menu items but a custom role cannot?

security

(Sjaak) #1

Hi

I've been breaking my head over this for two days and I just can't figure it out.

For whatever reason the kibana_dashboard_only user role can hides all navigation menus except for the dashboard button (good).

If I recreate the exact same role (except for the _reserved part as it seems hard coded) all the menu items show up (bad).

Why? I absolutely fail to see why having the EXACT SAME SETTINGS doesn't give the same result. It makes zero sense and is extremely frustrating.

kibana_dashboard_only

  "kibana_dashboard_only_user": {
    "cluster": [],
    "indices": [
      {
        "names": [
          ".kibana*"
        ],
        "privileges": [
          "read",
          "view_index_metadata"
        ]
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "read"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {
      "_reserved": true
    },
    "transient_metadata": {
      "enabled": true
    }

My custom dashboard only user

  "kibana_dashboard_test": {
    "cluster": [],
    "indices": [
      {
        "names": [
          ".kibana2*"
        ],
        "privileges": [
          "read",
          "view_index_metadata"
        ]
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana2",
        "privileges": [
          "read"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }

kibana.yml

elasticsearch.url: "https://elasticcloud:9243"
kibana.index: ".kibana2"
xpack.security.enabled: true
elasticsearch.username: "user"
elasticsearch.password: "password"


(Albert Zaharovits) #2

Hi @Sjaak01,

No reason to get frustrated over this!
You are indeed right, the role is hardcoded on the Kibana side. That is, the user it's shown only the dashboard if it has the "kibana_dashboard_only" role.
Kibana is moving away from this implementation with the adoption of Kibana Spaces (coming soon), implemented with the applications privileges which you can see on the role you have pasted.

What is the reason you wish to have another role similar to "kibana_dashboard_only"?


(Sjaak) #3

I'm sorry, its been a long couple of days and this is kind of the last piece of the puzzle I need to figure out so I was getting worked up over it.

The reason I want a second dashboard only user is multi tenancy and hiding dashboards from different users.

But as you said I am very much looking forward to spaces because if it works the way I hope it does, there is no need for my current work around with multiple Kibana instances.

Can you give a hint as to how soon soon is? :wink:


(Tim Vernum) #4

It is possible to configure Kibana to treat your custom role as a "dashboard only" role.

The docs for this are here:


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.