I'm hoping someone can point me to something that provides better security controls within Kibana. We were curious how x-pack could change Kibana in a way to limit users interactivity. It didn't seem like it could from what we saw in code. So we just tried installing a trial X-pack anyways and we were right but also a little disappointed that x-pack for Kibana is nothing more than adding x-pack controls to Kibana. The biggest disappointment is that security is only applicable to Elasticsearch. You don't get security for Kibana at all.
User was given read only for .kibana index. They can still try and fail miserably to do the following.
- Anything under Management tab
- Anything under DevTools
- Create/modify dashboard only to get access denied when they try to save.
- Create/modify visualization only to get access denied when they try to save.
- See a bunch of things they don't have permissions on.
- Graph, DevTools, Machine Learning
I would call this less than optimal security. Users are not going to like the fact they they get to see things they don't have access to and interact with a bunch of things they can't save.