Xpack security with active directory question

Hi Team,

I am new to elasticsearch. I am able to integrate xpack elastic and active directory and authentication too. Know when a user who's not associated to any role but is in the company's domain is still able to login to kibana but just see the left menu and click on links and.can not do anything. Can we restrict the login access if not mapped to any role?

Regards
Aditya

anyone any thoughts?

Regards
Aditya

Again,

i am able to successfully integrate Active directory with Kibana/Elastic. but users in the company who are not defined in the role_mapping file are able to login too but not navigate into any options/menu. Can we block them to login into kibana if not in role mapping file.

Regards
Aditya

Hi Aditya,

This is essentially a bug (it's sort of a feature, depending on how you look at it) in the way that Kibana uses the authentication from ES to determine whether a user should have access. On the ES side of things - it's valid for a user to authenticate successfully, but not receive any roles.

We have been planning a feature that will do a proper test of permissions/access to prevent users from accessing Kibana unless they have a minimum set of permissions (e.g. a read-only version of the kibana_user role).

To make sure this feature would work for you - would this be appropriate for your use-case? : If a user logs into the Kibana UI, and they don't have roles (or the roles they have are not sufficient to use Kibana) they will stay on the login screen, and see a message that lets them know they don't have sufficient permissions to use Kibana.

Thanks,
Steve

@skearns thanks for the update. yes thats the use case if the user is not in any role they stay at the login page.

Regards
Aditya

@skearns any updates on this use case?

Regards
aditya

Yes, this is still on our roadmap, but no other updates at this time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.