Base version information: this work is being done on an ELK stack running version 5.6.3 of elasticsearch, kibana, logstash, and x-pack.
I am trying to define multiple levels of roles that can be combined to allow users to exist at 4 levels:
- admin_full_access - this kibana user can manage all indices. No document level filtering is required on any index.
- admin_limited_access - this kibana user can manage all indices, except in one index there is a field that they are not allowed to view documents if that field value matches a specific value. (So document level filtering is needed for just that single index. Other indices do not contain the field in question).
- user_full_access - this kibana user can read a subset of indices. No document level filtering is required - they can see all documents of the subset of indices.
- user_limited_access - this kibana user can read the same subset of indices as the user_full_access can. Document level filtering the same as with the admin_limited_access user is required for the same specific index.
I am using the file based realm to define the roles for these users because I do not want anyone modifying them from the kibana dashboard. Only a user who can actually ssh into the elasticsearch instances should be able to make those modifications.
Here is essentially what I have set up for the definitions of the roles/users:
base_admin_role:
cluster: ['all']
indices:
- names: ['index-that-is-limited*']
privileges: ['all']
query: '{"match":{"field-name":"field-value"}}'
base_user_role:
cluster: ['manage']
indices:
- names: ['index-that-is-limited*']
privileges: ['read']
query: '{"match":{"field-name":"field-value"}}'
full_admin_index_role:
indices:
- names: ['*']
privileges: ['all']
full_user_index_role:
indices:
- names: ['index-that-is-limited', 'the-remaining', 'subset-of', 'indices-that', 'I-want', 'to-have', 'access-to']
privileges: ['read']
limited_admin_index_role:
indices:
- names: ['all-other-indices']
privileges: ['all']
limited_user_index_role:
indices:
- names: ['the-remaining', 'subset-of', 'indices-that', 'I-want', 'to-have', 'access-to']
privileges: ['read']
And the users are then given roles accordingly:
admin_full_access: kibana_dashboard, base_admin_role, full_admin_index_role
admin_limited_access: kibana_dashboard, base_admin_role, limited_admin_index_role
user_full_access: kibana_dashboard, base_user_role, full_user_index_role
user_limited_access: kibana_dashboard, base_user_role, limited_user_index_role
Which seems like a logical way to construct the permissions. However, when I log into kibana using any of the four roles above, they all have full access to every index and document out there. I thought maybe it was the kibana_user role causing the problem so removed it and then queried elasticsearch directly using the users/passwords for each to see if the index/document limitations were working that way but they were not. All four users were still able to access all indices and documents regardless of their user or the content of the field that the queries are set up on.
Please help. I am thoroughly stumped at this point.