How to make an index read-only (not .kibana index)


(Barry Kaplan) #1

Is there any way to ensure that a user will have only read access to indices? A subset of actions or methods?

(But doesn’t kibana use POST for some queries?)


(Simone Scarduzio) #2

Is this a Kibana session you want to make readonly? Or some other agent?


(Barry Kaplan) #3

Not kibana (I mean not the .kibana index), but an arbitrary data indices, eg

my_index_data_1
my_index_data_2


Maybe the above was not clear, I want a rule like this but where kibana_sample_data_ecommerce is read-only for this user/session.

        - name: plant-user--data
          headers:
            - x-vi-plant:*
          proxy_auth: '*'
          kibana_hide_apps: "{{ kibana_ror_plant_hide_apps }}"
          indices:
            - kibana_sample_data_ecommerce
          filter: |
            {
              "query": {
                "match": {"customer_gender": "@{x-vi-plant}"}
              }
            }

(Simone Scarduzio) #4

So my quesiton was more like do you want to prevent a Kibana user from modifying data indices? or is this another thing like logstash?

Correct me if I’m wrong, but looks like you mean to prevent a Kibana user from modifying data indices via dev tools, or direct access. Well in this case, just use kibana_access: rw.

This will grant RW permissions to the kibana index (to create and delete dashboards and viz), but reject any RW request geared to other indices.

Don’t forget to allow also the “.kibana” index in the indices rule (unless you have a specific block for it above this).


(Barry Kaplan) #5
  • Users to be able to modify their tenant-specific kibana index (assigned with kibana_index)
  • Able to read/access their (assigned by indices) strictly as read-only

I guessing this a function of limiting the actions, similar to searchgard’s
https://docs.search-guard.com/latest/kibana-read-only#read-only-mode or their CLUSTER_COMPOSITE_OPS_RO action group.


(Simone Scarduzio) #6

I think it’s kinda similar, except that in ROR you have to specify the hidden apps yourself.


(Barry Kaplan) #7

Sorry, maybe that link was misleading.

I asking about how to make all access to an index read-only, regardless of the app.


(Simone Scarduzio) #8

The answer is: if you set the kibana_access rule (with any value) you will get the desired effect, because all indices except “.kibana” will become read-only.


(Barry Kaplan) #9

Brilliant! Thanks much.