How to create users and assign privileges to users

ajit · May 25, 2018, 2:10pm

Hi,
We have purchase pro version of read only rest. We don’t have idea to create users and assign them privileges.
Please guide us on creating multiple users and rule creation and restrict users to access indexes.

Thanks,
Ajit

sscarduzio · May 25, 2018, 2:40pm

Hi @ajit,

Something like this?

readonlyrest:
    access_control_rules:

    - name: "kibana server process"
      auth_key: "kibana:kibanaP4ssWd,123x"

    - name: "ROR Administrator"
      kibana_access: admin
      auth_key: admin:adminpass

    - name: "Can change dashboards, can't change ACL permissions"
      auth_key: manager:managerpass
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

    - name: "Can see dashboards with data from all indices"
      auth_key: viewer:viewerpass
      kibana_access: ro
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

    - name: "Can see dashboards with data from certain indices"
      auth_key: app1viewer:app1viewerpass
      kibana_access: ro
      indices: [".kibana", "app1-logstash-*"]
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

We have four Kibana users:

An administrator that can change the ACL: add, remove users etc
One dashboard manager that creates visualizations for viewers to consume (but can’t access readonlyrest_kbn Kibana app where te ACL can be changed)
A viewer that can see the dashboards with all data in them
A viewer that can see only data from indices whose name starts with “app1-logstash-”.

Users 3 and 4 can’t use dev tools and ROR kibana apps.

ajit · May 28, 2018, 7:15am

Hi,
I have installed readonly Rest plugins for both elasticsearch and kibana. I am able to login in kibana but cant see any tab. Also SSL is not enabled I am connecting only with HTTP protocol and not HTTPS. In readonly Rest I have added on below snipet.

readonlyrest:
access_control_rules:

- name: "ROR Administrator"
  kibana_access: admin
  auth_key: admin:adminpass

Is there any GUI to mange users and index access. Please guide us.

ajit · May 28, 2018, 7:17am

Getting Authentication Exceptions in kibana home page. Not able to access any tab.

sscarduzio · May 28, 2018, 8:07am

Hi @ajit,

Yes that’s normal, because I forgot to tell you you need to add a full access ACL block for the Kibana server. Now the example above is amended.

Then, don’t forget to configure kibana.yml with elasticsearch username and password as described in the official instructions.

By the way, please follow the installation and configuration instructions in the docs, it’s better documented than me trying to summarise this in a forum thread.

Anyway, by all means, if you have any doubts just ask!

github.com

beshu-tech/readonlyrest-docs/blob/master/kibana.md#kibana-configuration

---
description: User manual for ReadonlyREST Enterprise/PRO/Free
---

# For Kibana

🧙 **Are you using Kibana version 7.8.x or older? Go to the** [**old platform manual page**](details/kibana-7.8.x-and-older.md)**.**

### Kibana Plugin overview

ReadonlyREST plugin for Kibana is not open source, and it's offered as part of the [ReadonlyREST PRO](https://readonlyrest.com/pro.html) and [ReadonlyREST ENTERPRISE](https://readonlyrest.com/enterprise.html), and [ReadonlyREST Free](https://readonlyrest.com/free) packages. See product descriptions and a comparison chart in the official [ReadonlyREST website](https://readonlyrest.com)

ReadonlyREST plugins for Kibana **always require** ReadonlyREST opens source plugin to be installed in the Elasticsearch nodes your Kibana instance(s) will connect to.

It's not mandatory to install ReadonlyREST in all Elasticsearch nodes, but only in the ones in where you need the HTTP interface to be secured.

### After purchasing

If you didn't install it yet, download the latest [universal build](https://docs.readonlyrest.com/universal-builds) from our [download page](https://readonlyrest.com/download/) and install it manually.
Alternatively, see below if you want to install it directly via the command line without downloading it from the browser.

This file has been truncated. show original

ajit · May 28, 2018, 10:17am

Hi,
I have added below code in readonlyrest.yml
readonlyrest:
prompt_for_basic_auth: false
enable: true
ssl:
enable: true
keystore_file: "/opt/ElasticSearchKibana/ssl/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest

access_control_rules:
- name: "ROR Administrator"
  kibana_access: admin
  auth_key: admin:adminpass

But getting exception in reading jks file.
java.security.AccessControlException: access denied (“java.io.FilePermission “”/opt/ElasticSearchKibana/ssl/keystore.jks” “read”)

I just need basic configuration for creating users and assign them particular index. And that index should be accessible by that user only.

sscarduzio · May 28, 2018, 11:19am

Hi @ajit,

Could you place the jks wherever your readonlyrest.yml and elasticsearch.yml are? And then refer in the settings as “keyestore.jks”.

That should get rid of the permission error.

ajit · May 28, 2018, 12:21pm

Hi,
Now its working properly from config folder.
But getting below exception:
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

Is this issue related to keystore or any configuration issue.
Please guide on the keystore and keystore pass and keystore alias.

sscarduzio · May 28, 2018, 12:38pm

Hi @ajit,

Please can you always report complete stack traces?
Is this piece of stack trace coming from Kibana or from ES?
Is the keystore.jks containing a self signed certificate?
In the case 3 is true, configure kibana to accept unsigned certificates.
Have a look at this thread in the ES forum on how to investigate this on the cert side.

ajit · May 29, 2018, 11:58am

Hi,
I am giving permissions to a user for particular index and particular actions. But as I am giving actions to user my user is not able to login. But without actions user is able to login kibana. Below is my configuration :

name: “user1"
auth_key: user1:user1
actions: [“indices:data/read/","indices:data/write/”,“indices:admin/template/*”,“indices:admin/create”]
indices: [”.kibana", “index1”]
kibana_hide_apps: [“readonlyrest_kbn”]

Please guide me whats wrong in the code snippet. And I have to implement this scenario user- > index- > actions.

ajit · May 29, 2018, 12:19pm

After adding actions in above snippet my user not getting logged in kibana. after removing action User is able to login into kibana. I need index + actions.

sscarduzio · May 29, 2018, 12:19pm

@ajit if you want a user to login into Kibana you need either:

auth_key AND kibana_access -> logins ok, but it won’t be able to operate from dev tools
auth_key -> logins ok, can do anything in ES through dev tools
(auth_key AND kibana_access) + (auth_key + actions + indices) -> two ACL blocks: one for Kibana login, and the other for operating their indices like they want.

This is an example of the latter:


- name: “user1 for kibana"
  auth_key: user1:user1
  kibana_access: rw 
  indices: [”.kibana", “index1”]
  kibana_hide_apps: [“readonlyrest_kbn”]

- name: “user1 extra actions to operate index1 from devtools"
  auth_key: user1:user1
  actions: [“indices:data/read/","indices:data/write/”,“indices:admin/template/*”,“indices:admin/create”]
  indices: [“index1”]
  kibana_hide_apps: [“readonlyrest_kbn”]

ajit · May 29, 2018, 12:44pm

Thanks, Issue has been resolved. We are almost done. Need some more help.
After starting elasticsearch to test in browser I am getting forbidden 403 error. Now kibana is working fine.

In browser I am getting below message and my ulr is:
https://172.21.153.176:9200/index1/_search
Error is:
{“error”:{“root_cause”:[{“reason”:“forbidden”}],“reason”:“forbidden”},“status”:403}

Please guide on this.

sscarduzio · May 29, 2018, 1:24pm

Wait, you have set up the authentication, therefore if you point the browser to ES, it will show forbidden. Why do you instead expect this to work?

ajit · May 29, 2018, 1:58pm

Need to check data of index in browser.

ajit · May 29, 2018, 2:03pm

One more request, I don’t want to show passwords of users in security file. Is there any way to create users using GUI. I don’t want to create users manually and there passwords. Please provide solution on this.

sscarduzio · May 30, 2018, 6:07am

Hi @ajit,

You have many possibilities to avoid typing clear text passwords and/or manage users less “manually”:

store hashed passwords in the YAML settings using auth_key_sha256
inject users password as environmental variables when you deploy elasticsearch (requires node restart)
use our LDAP connector and manage users there.
rely on another website’s basic authentication
authenticate users with a proxy and then redirect them to Kibana with a valid JWT token

Did you have something else in mind? Please share some feedback about your original expectations about our product.