How to create users and assign privileges to users


(Ajit) #1

Hi,
We have purchase pro version of read only rest. We don’t have idea to create users and assign them privileges.
Please guide us on creating multiple users and rule creation and restrict users to access indexes.

Thanks,
Ajit


(Simone Scarduzio) #2

Hi @ajit,

Something like this?

readonlyrest:
    access_control_rules:

    - name: "kibana server process"
      auth_key: "kibana:kibanaP4ssWd,123x"

    - name: "ROR Administrator"
      kibana_access: admin
      auth_key: admin:adminpass

    - name: "Can change dashboards, can't change ACL permissions"
      auth_key: manager:managerpass
      kibana_access: rw
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

    - name: "Can see dashboards with data from all indices"
      auth_key: viewer:viewerpass
      kibana_access: ro
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

    - name: "Can see dashboards with data from certain indices"
      auth_key: app1viewer:app1viewerpass
      kibana_access: ro
      indices: [".kibana", "app1-logstash-*"]
      kibana_hide_apps: ["readonlyrest_kbn", "kibana:dev_tools"]

We have four Kibana users:

  1. An administrator that can change the ACL: add, remove users etc
  2. One dashboard manager that creates visualizations for viewers to consume (but can’t access readonlyrest_kbn Kibana app where te ACL can be changed)
  3. A viewer that can see the dashboards with all data in them
  4. A viewer that can see only data from indices whose name starts with “app1-logstash-”.

Users 3 and 4 can’t use dev tools and ROR kibana apps.


(Ajit) #3

Hi,
I have installed readonly Rest plugins for both elasticsearch and kibana. I am able to login in kibana but cant see any tab. Also SSL is not enabled I am connecting only with HTTP protocol and not HTTPS. In readonly Rest I have added on below snipet.

readonlyrest:
access_control_rules:

- name: "ROR Administrator"
  kibana_access: admin
  auth_key: admin:adminpass

Is there any GUI to mange users and index access. Please guide us.


(Ajit) #4

Getting Authentication Exceptions in kibana home page. Not able to access any tab.


(Simone Scarduzio) #5

Hi @ajit,

Yes that’s normal, because I forgot to tell you you need to add a full access ACL block for the Kibana server. Now the example above is amended.

Then, don’t forget to configure kibana.yml with elasticsearch username and password as described in the official instructions.

By the way, please follow the installation and configuration instructions in the docs, it’s better documented than me trying to summarise this in a forum thread.

Anyway, by all means, if you have any doubts just ask!


(Ajit) #6

Hi,
I have added below code in readonlyrest.yml
readonlyrest:
prompt_for_basic_auth: false
enable: true
ssl:
enable: true
keystore_file: "/opt/ElasticSearchKibana/ssl/keystore.jks"
keystore_pass: readonlyrest
key_pass: readonlyrest

access_control_rules:
- name: "ROR Administrator"
  kibana_access: admin
  auth_key: admin:adminpass

But getting exception in reading jks file.
java.security.AccessControlException: access denied (“java.io.FilePermission “”/opt/ElasticSearchKibana/ssl/keystore.jks” “read”)

I just need basic configuration for creating users and assign them particular index. And that index should be accessible by that user only.


(Simone Scarduzio) #7

Hi @ajit,

Could you place the jks wherever your readonlyrest.yml and elasticsearch.yml are? And then refer in the settings as “keyestore.jks”.

That should get rid of the permission error.


(Ajit) #8

Hi,
Now its working properly from config folder.
But getting below exception:
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

Is this issue related to keystore or any configuration issue.
Please guide on the keystore and keystore pass and keystore alias.


(Simone Scarduzio) #9

Hi @ajit,

  1. Please can you always report complete stack traces?
  2. Is this piece of stack trace coming from Kibana or from ES?
  3. Is the keystore.jks containing a self signed certificate?
  4. In the case 3 is true, configure kibana to accept unsigned certificates.
  5. Have a look at this thread in the ES forum on how to investigate this on the cert side.

(Ajit) #10

Hi,
I am giving permissions to a user for particular index and particular actions. But as I am giving actions to user my user is not able to login. But without actions user is able to login kibana. Below is my configuration :

  • name: “user1"
    auth_key: user1:user1
    actions: [“indices:data/read/","indices:data/write/”,“indices:admin/template/*”,“indices:admin/create”]
    indices: [”.kibana", “index1”]
    kibana_hide_apps: [“readonlyrest_kbn”]

Please guide me whats wrong in the code snippet. And I have to implement this scenario user- > index- > actions.


(Ajit) #11

After adding actions in above snippet my user not getting logged in kibana. after removing action User is able to login into kibana. I need index + actions.


(Simone Scarduzio) #12

@ajit if you want a user to login into Kibana you need either:

auth_key AND kibana_access -> logins ok, but it won’t be able to operate from dev tools
auth_key -> logins ok, can do anything in ES through dev tools
(auth_key AND kibana_access) + (auth_key + actions + indices) -> two ACL blocks: one for Kibana login, and the other for operating their indices like they want.

This is an example of the latter:


- name: “user1 for kibana"
  auth_key: user1:user1
  kibana_access: rw 
  indices: [”.kibana", “index1”]
  kibana_hide_apps: [“readonlyrest_kbn”]

- name: “user1 extra actions to operate index1 from devtools"
  auth_key: user1:user1
  actions: [“indices:data/read/","indices:data/write/”,“indices:admin/template/*”,“indices:admin/create”]
  indices: [“index1”]
  kibana_hide_apps: [“readonlyrest_kbn”]

(Ajit) #13

Thanks, Issue has been resolved. We are almost done. Need some more help.
After starting elasticsearch to test in browser I am getting forbidden 403 error. Now kibana is working fine.

In browser I am getting below message and my ulr is:
https://172.21.153.176:9200/index1/_search
Error is:
{“error”:{“root_cause”:[{“reason”:“forbidden”}],“reason”:“forbidden”},“status”:403}

Please guide on this.


(Simone Scarduzio) #14

Wait, you have set up the authentication, therefore if you point the browser to ES, it will show forbidden. Why do you instead expect this to work?


(Ajit) #15

Need to check data of index in browser.


(Ajit) #16

One more request, I don’t want to show passwords of users in security file. Is there any way to create users using GUI. I don’t want to create users manually and there passwords. Please provide solution on this.


(Simone Scarduzio) #17

Hi @ajit,

You have many possibilities to avoid typing clear text passwords and/or manage users less “manually”:

Did you have something else in mind? Please share some feedback about your original expectations about our product.