Configuration example for jwt multi tenancy

Hi
Does there exist a example configuration for multi tenancy with jwt?

I have an existing ELK-stack instance running without ROR, and want to install ROR. I can get it to work fine without multi tenancy, but I am confused as to how you set up multi tenancy.

I have congigured it so that all users have access to the existing .kibana index (seems to be stored as .kibana_1 .kibana_2 .kibana_3 etc) with different access levels. In addition I want to achieve that users with rw-acces to also be able to switch to a private tenancy which only they can use. So they would have a dropdown with the tenancies available to them (the default .kibana index and a private tanancy). How can I achieve this? Would be great if there is some example configuration I can look at.

Here’s my non-multi-tenancy configuration:
readonlyrest:

access_control_rules:
- name: "::KIBANA-SRV::"
  auth_key: kibana:kibana
  verbosity: error

- name: "::ADMIN_BP::"
  kibana_access: admin
  jwt_auth:
    name: "webseal"
    roles: ["kibana_admin"]

- name: "::RW_BP::"
  kibana_access: rw
  jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

- name: "::RO_BP::"
  kibana_access: ro
  kibana_hide_apps: ["readonlyrest_kbn", "kibana:visualize", "canvas", "apps", "ml", "infra:infrastructure","infra:logs", "apm", "uptime", "siem", "kibana:dev_tools", "monitoring", "kibana:management"]
  jwt_auth:
    name: "webseal"
    roles: ["kibana_readonly"]

jwt:
- name: webseal
  signature_algo: RSA
  signature_key: "MY_KEY"
  user_claim: sub
  roles_claim: groups
  header_name: jwt

Thanks

Hello @peter123, great question!

The solution to your problem should look like this:

readonlyrest:
 access_control_rules:
 - name: "::KIBANA-SRV::"
   auth_key: kibana:kibana
   verbosity: error

 - name: "::ADMIN_BP::"
   kibana_access: admin
   jwt_auth:
    name: "webseal"
    roles: ["kibana_admin"]

 - name: "::RW_BP::"
   kibana_access: rw
   jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

 - name: "::RW_BP (personal)::"  #<--- added this block
   kibana_access: rw
   kibana_index: ."[email protected]{user}" # <-- dynamic variable
   jwt_auth:
    name: "webseal"
    roles: ["kibana_user"]

- name: "::RO_BP::"
  kibana_access: ro
  kibana_hide_apps: ["readonlyrest_kbn", "kibana:visualize", "canvas", "apps", "ml", "infra:infrastructure","infra:logs", "apm", "uptime", "siem", "kibana:dev_tools", "monitoring", "kibana:management"]
  jwt_auth:
    name: "webseal"
    roles: ["kibana_readonly"]
1 Like