Yes @francisca.lima, this is expected. When you use filter and fields rules, you need to duplicate your ACL block, as these rules only will match with *search *get requests, while a normal Kibana session uses a wider mix of request types.
You can find this technique explained in our documentation, look where it says “IMPORTANT”.
If you want some feedback on your settings, feel free to show us here.
Can you tell us in what (ES and ROR) version you had it working? Also, can you tell us how you define work/not work with a simple experiment? I.e. using curl with a minimal configuration?
Not sure what’s wrong, but what I’m sure about is that mixing “actions” and “kibana_access” doesn’t make sense. The kibana_access rule is already a macro that selects a series of actions. And if you add the actions rule, you are basically neutralising it.
Thank you! I removed the actions. My system indexes of kibana are: .kibana_task_manager and .kibana_1, so I tried to only use .kibana_1 or only use .kibana_task_manager, but no success (cannot access kibana).
Regarding to this topic, I’ve tried to install this version of ROR “ROR 1.45.0-pre5 for ES 7.12.1” for each node elasticsearch from cluster, but unfortunately doesn’t work anymore, the same error 503. If I put in filter config “ must_not”, it works but “must” returns error.
Hello Alex, can you share your readonlyrest.yml or equivalent in-index YAML settings, and give us some examples of queries (i.e. with curl, or similar).
BTW if you are staff of a enterprise subscriber, please tell us at @support_team in direct message (here in the forum) so we can prioritise your support request.