Configuring multiple users and enable document level security

(Ashwin Bharadwaj) #1

Hello Team,

I am really enjoying working with ROR, cheers to all!

Very recently i found this while doing a POC on Kibana Authentication with XPACK. So far i was able to configure the ROR yml and use the kibana. Now its time for me to go to next level, ours is a multi tenant application and i’m working on securing the kibana logs from different tenant users through document level security. I created multiple users in the ror yml, however i’m getting 401 while logging in with one specific user.

I have 2 users defined in ror yml

- name: "::Admin user::"
  auth_key: rsadmin:rsadmin
  type: allow
  actions: ["indices:admin/create","indices:data/write/index","indices:data/write/bulk","indices:data/write/bulk[s]"]
indices: ["log-*"]

- name: "::rdw user::"
  auth_key: rdwadmin:rdwadmin
  type: allow
indices: ["log-*"]

I can login with rsadmin user with ease and not with rdwadmin, unable to identify the root cause.
Note : I have defined rsadmin in the kibana yml under elasticsearch.username. Is this the issue?

(Ashwin Bharadwaj) #2

I was able to rectify the issue. That was copy paste issue from admin config.

Once i remove actions and introduce kibana_access the config started working

Still need help on document level security. I have used the below setting after referring the PR, however no luck

 - name: "::RDW user::"
    auth_key: rdwadmin:rdwadmin
    actions: ["indices:data/read/*"]
    indices: [".kibana*","log-*","testindex"]
    filter: "{\"bool\": {\"must\": [{\"term\": {\"TenantID\": {\"value\": \"rdw\"}}}]}}"

The expectation is to filter the logs which belongs only to the specified tenant.

(Ashwin Bharadwaj) #3

Was able to correct all the errors after referring

Unable to filter documents (DLS).

(Simone Scarduzio) #4

Hello @ashwin, great job at finding a solution yourself :slight_smile:

Because the filter/fields + Kibana is a very common use case, I took some time to document and explain how to approach this task with ReadonlyREST. See it in the official documentation.