Why the user who is not authorized is able to create dashboard/reports in kibana

security

(Vikas Gopal) #1

Hi Experts,

I am new to shield , so I am following "http://blog.trifork.com/2015/03/05/shield-your-kibana-dashboards/" blog to start. I have done almost everything i.e
--> Installed Shield
--> Created 2 user (vikas, gopal)and assign roles to them (vikas as teacher, gopal as student )
--> Using logstash I am creating 2 indexes (class,student)
-->teacher role has access to both the indexes ,but gopal can only work on student index
-->I authorized both the users for Kibana with the command
esusers roles vikas -a kibana4
esusers roles gopal -a kibana4

Problem

When I login to kibana with gopal user which is only authorized to student is also able create dashboard or reports on class index which I am not able to understand .Can't we restrict the user at the first stage in kibana that is on the configuring Index page (first page of kibana) ? I mean kibana should not allow this user to fetch class index.


(Jay Modi) #2

Hi,

Can you share the exact role definitions you have used? Also, can the gopal user actually view the data in the class index or just creates a dashboard for it and no data is shown?

-Jay


(Vikas Gopal) #3

Thanks Jay for your prompt response .
Here is my role(teacher,stu) definition in roles.yml

teacher:
indices:
'student_info,class_detail':

  • indices:admin/mappings/fields/get
  • indices:admin/validate/query
  • indices:data/read/search
  • indices:data/read/msearch
  • indices:admin/get
    stu:
    indices:
    'student_info':
  • indices:admin/mappings/fields/get
  • indices:admin/validate/query
  • indices:data/read/search
  • indices:data/read/msearch
  • indices:admin/get

The required permissions for kibana 4 users.

kibana4:
cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
indices:
'*':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get
'.kibana':
- indices:admin/exists
- indices:admin/mapping/put
- indices:admin/mappings/fields/get
- indices:admin/refresh
- indices:admin/validate/query
- indices:data/read/get
- indices:data/read/mget
- indices:data/read/search
- indices:data/write/delete
- indices:data/write/index
- indices:data/write/update
- indices:admin/create

Now coming to second point with the gopal user I can see 11 records in the discover page for class_detail index however if I add fields it shows no data .


(Jay Modi) #4

I think for your case, you would need to define just a kibana4_user role with access to the .kibana index and then you can use your other roles to authorize the specific indices. I haven't tested this out yet, but I think it may work.

Add the following role to your roles.yml:

kibana4_user:
  indices:
    '.kibana':
      - indices:admin/exists
      - indices:admin/mapping/put
      - indices:admin/mappings/fields/get
      - indices:admin/refresh
      - indices:admin/validate/query
      - indices:data/read/get
      - indices:data/read/mget
      - indices:data/read/search
      - indices:data/write/delete
      - indices:data/write/index
      - indices:data/write/update

Then remove the kibana4 role from your users and add the kibana4_user role to them. This way the indices that they have permission to access are limited by their true permissions.

Let me know how this goes.

Jay


(Vikas Gopal) #5

No it did not work for me , only admin user can see both the indexes in Kibana. As you mentioned I added the above role in roles.yml then assign this role to my users . I also have to put cluster:
- cluster:monitor/nodes/info
- cluster:monitor/health
statement , without this I was getting an error on login page for kibana.I am not sure what I am doing wrong ?
and I guess I already assigned kibana4 role to my users by using esusers roles vikas -a kibana4 command earlier.


(Jay Modi) #6

The reason why I suggested the new role is because of the default kibana role grants some access to all indices and the user role in combination with other privileges should restrict the access.

To be clear, even after adding the cluster privileges, were you able to access the data as expected?


(Vikas Gopal) #7

True even with cluster privileges I did not get the desired result . Yes you are right default kibana role grants access to all indices because it has * under indices .
indices:
'*':
- indices:admin/mappings/fields/get
- indices:admin/validate/query
- indices:data/read/search
- indices:data/read/msearch
- indices:admin/get

Even in the blog , they modified it and remove this portion . But for me after removing this section , except admin user nobody else is able to fetch index in Kibana. If I use this section then any user can fetch any index but while adding fields in the discover it shows blank as per the previlage .I am definitely missing out something. My question is can't we stop the user at the first stage in kibana . I mean if the user is authorized then only he can fetch the index ?


(Jay Modi) #8

Hi Vikas,

Sorry for the delay. I needed to find some time to recreate what you've described and I see what you are saying. The fields that the user is seeing (that they don't have access to) are actually being stored in the .kibana index when the index pattern is added to Kibana. This isn't ideal and is a limitation that's on our roadmap to solve in the future. One of the steps that needs to happen first is adding improved authentication support to Kibana 4.

-Jay


(system) #9