FIRST MY COMPLIMENTS!
Wonderfull plugin, after struggling to get xpack working your plugin is really a breeze to use
I work for company that is tryingout your plugin for internal enterprise use (need to protect certain data on field and document leve).
Your plugin is really straightforward to configure and use. kiddos
SO far I have encryption enbaled on elastic search and reading through your ACL list
MY QUESTION:
I am not an elastic stack veteran, I read the docs last year, and now actively making an MVP and started with 6.4.3
I have never seen this âactionâ strings before described here, (link)
you also refer to elasticsearch 5.1.2. explicitly, so do these strings not exist anymore in 6.4.3??
are these actions relevant in the current 6.4.3 version.???
Hello @jacobbogers, and thanks for the kind words!
The set of existing actions does not change between the ES versions. But when they add a new feature in ES they add an action string for it.
An action is like a the name of an internal function you can invoke inside ES. You can invoke it either via HTTP (port 9200), or via ES transport protocol (port 9300).
You donât find anything in the ES docs because itâs a concept that they donât expose to the public API, however the names are pretty descriptive and invariant across time, so they became part of the ReadonlyREST API.
The good news is that we also created a macro rule called kibana_access that identifies the actions required for a ârwâ, âroâ, and âro_strictâ Kibana session.
We also provide examples of the minimum set of actions to be allowed in order for Logstash and Metricbeats to work correctly
will it still create this monitoring indices? like (examples) .monitoring-alerts-6, .kibana, .monitoring-kibana-6-2018.11.13 ,.watches, .triggered_watches, ..watcher-history-9-2018.11.13
?
will kibana user be able to delete/create/alter indices from the âdev toolâ tab, if kibana_access: ro?
ROR polices the HTTP interface, the creation of monitoring indices happens X-Pack ES plugin. So ROR does not even see those indices being created.
Absolutely not. As I said, the access control is done in Elasticsearch HTTP interface, so what you can do from dev tools as a RO user will be limited to the set of actions you can perform during a normal RO Kibana session (mainly searches).
Absolutely not. As I said, the access control is done in Elasticsearch HTTP interface, so what you can do from dev tools as a RO user will be limited to the set of actions you can perform during a normal RO Kibana session (mainly searches).