Access_control_rules


#1

Hi, I have some questions, This is my configuration

readonlyrest:
access_control_rules:
-
name: '::KIBANA::'
auth_key: ‘usser:pass’
-
name: '::a::'
kibana_access: ro
indices: [.kibana, ‘w*’, ‘s*’]
kibana_hide_apps: [readonlyrest_kbn, timelion, ‘kibana:dev_tools’, ‘kibana:management’]
auth_key: ‘usser:pass’
-
name: '::B ::'
kibana_access: rw
indices: [.kibana, ‘w*’, ‘s*’]
kibana_hide_apps: [readonlyrest_kbn, timelion, ‘kibana:dev_tools’, ‘kibana:management’]
auth_key: ‘usser:pass’

ssl:
key_pass: readonlyrest
keystore_pass: readonlyrest
enable: 'true’
keystore_file: /usr/share/elasticsearch/plugins/readonlyrest/keystore.jks
response_if_req_forbidden: 'Forbidden by ROR

For example If I log in with A orB , when I do something wrong, kibana stops and I cannot continue doing notting , so I have to refresh the browser and log in again.
Is this behavior normal or not?

Also how can I configurate an User who can create dashboards for w but It can’t mmodificate w indice.

{
“name”: “readonlyrest”,
“version”: “1.16.10”,
“description”: “ReadonlyREST security plugin for Elasticsearch and Kibana”,
“main”: “index.js”,
“kibana”: {
“version”: “5.6.0”
}

Thanks :slight_smile:


(Simone Scarduzio) #2

Hello @hepamela!

Users defined in blocks containing kibana_access rule - even rw and admin - will not be able to interact with data indices at all.

The rw vs rw distinction here is referred to accessing the .kibana index, where the Kibana dashboards, visualizations and settings get stored.

With ROR PRO, all users will see the same dashboards, so for a user that is not allowed to see the “w*” indices, some dashboards will show as empty (or partially full).

With ROR Enterprise, where you can have multi-tenancy, different users can have different dashboards. And because a user can’t ever see “w*” indices, he/she will never be able to create a dashboard involving “w*” indices, as they just cannot see those indices. :slight_smile: