Compliments and a question


(Jacob Bogers) #1

FIRST MY COMPLIMENTS!
Wonderfull plugin, after struggling to get xpack working your plugin is really a breeze to use
I work for company that is tryingout your plugin for internal enterprise use (need to protect certain data on field and document leve).

Your plugin is really straightforward to configure and use. kiddos

SO far I have encryption enbaled on elastic search and reading through your ACL list

MY QUESTION:
I am not an elastic stack veteran, I read the docs last year, and now actively making an MVP and started with 6.4.3

I have never seen this “action” strings before described here, (link)

you also refer to elasticsearch 5.1.2. explicitly, so do these strings not exist anymore in 6.4.3??

are these actions relevant in the current 6.4.3 version.???


(Simone Scarduzio) #2

Hello @jacobbogers, and thanks for the kind words!
The set of existing actions does not change between the ES versions. But when they add a new feature in ES they add an action string for it.


(Jacob Bogers) #3

forgive my noob question, what is an “action”,I am diving in the elastic docs but dont see it,
is this part of the search api?


(Simone Scarduzio) #4

An action is like a the name of an internal function you can invoke inside ES. You can invoke it either via HTTP (port 9200), or via ES transport protocol (port 9300).

You don’t find anything in the ES docs because it’s a concept that they don’t expose to the public API, however the names are pretty descriptive and invariant across time, so they became part of the ReadonlyREST API.

The good news is that we also created a macro rule called kibana_access that identifies the actions required for a ‘rw’, ‘ro’, and ‘ro_strict’ Kibana session.

We also provide examples of the minimum set of actions to be allowed in order for Logstash and Metricbeats to work correctly


(Jacob Bogers) #5

I put “kibana_access” to “ro”
will it

  1. will it still create this monitoring indices? like (examples) .monitoring-alerts-6, .kibana, .monitoring-kibana-6-2018.11.13 ,.watches, .triggered_watches, ..watcher-history-9-2018.11.13
    ?

  2. will kibana user be able to delete/create/alter indices from the “dev tool” tab, if kibana_access: ro?


(Simone Scarduzio) #6

ROR polices the HTTP interface, the creation of monitoring indices happens X-Pack ES plugin. So ROR does not even see those indices being created.

Absolutely not. As I said, the access control is done in Elasticsearch HTTP interface, so what you can do from dev tools as a RO user will be limited to the set of actions you can perform during a normal RO Kibana session (mainly searches).


(Jacob Bogers) #7

Absolutely not. As I said, the access control is done in Elasticsearch HTTP interface, so what you can do from dev tools as a RO user will be limited to the set of actions you can perform during a normal RO Kibana session (mainly searches).

Fantastic!!!