Filtering indices and use Ldap

ROR Version: Enterprise 1.56.0_es7.15.1 :unicorn:

Kibana Version: 7.15.1

Elasticsearch Version:7.15.1

Steps to reproduce the issue
1 step:
I need all ldap users to be able to log into kibana. My config:

    - name: "all user"
      type: allow
      ldap_authentication:
        name: "ldap"
      kibana_access: rw

2 step:
A group appears in ldap that should only see certain indexes. My config:

    - name: "filter index"
      indices: ["*kibana*", "*:*index*]
      kibana_access: rw
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        groups: ["team1"]

    - name: "all user"
      type: allow
      ldap_authentication:
        name: "ldap"
      kibana_access: rw

Expected result:
Users from the group stop seeing logs from other indexes.

Actual Result:
Users from the group see all logs. To solve the problem, I added one more rule.

    - name: "filter index"
      indices: ["*kibana*", "*:*index*]
      kibana_access: rw
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        groups: ["team1"]

    - name: "team1 forbid"
      type: forbid
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        groups: ["team1"]

    - name: "all user"
      type: allow
      ldap_authentication:
        name: "ldap"
      kibana_access: rw

But now I am getting a lot of errors when opening an index in Kibana.

Is it possible to remove errors from kibana?

This rule (I intentionally removed the kibana rule to make the example simple):

    - name: "filter index"
      indices: ["*kibana*", "*:*index*]
      ldap_authentication:
        name: "ldap"
      ldap_authorization:
        name: "ldap"
        groups: ["team1"]

means:

allow requests to *kibana* or *:*index* when user belongs to "team1" LDAP group

the next rule:

  - name: "all user"
      type: allow
      ldap_authentication:
        name: "ldap"

means:

allow all requests when user can be authenticated with LDAP

You wrote:

Users from the group see all logs. 

I would expect that it’s going to work like that because it’s ACL, so when matching one block fails, the next one will be checked.

I guess that putting the “allow all” block at the end of the ACL is not so good idea.

How can I make sure that all users have access to Kibana, but some users have reduced rights.

Do you have any ideas on how this can be done?

I think if I make a group, put all the users there and add it at the end, the result will not change.

I think you have to define first what exactly means “reduced rights”.

“reduced rights” - Can only see certain indexes and not receive errors in kibana. For example: index1 and index2

Other users can see all indexes.