I have requirements to have people be able to setup their own dashboards in kibana, but only have read-only access to the log data.
Unfortunately, I cannot seem to achieve this with RoR 
Attempt 1: We allow read-only access to developer group to log indices, and in a separate rule we allow RW access to .kibana index.
access_control_rules:
- name: "Allow write-only access to logs to the log collector system group"
type: allow
groups: ["logcollector"]
actions: ["indices:data/write/index", "indices:data/write/bulk*", "indices:admin/template/*", "indices:admin/create", "cluster:monitor/main"]
verbosity: error
- name: "Deny access to kibana user from outside reverse proxy server"
type: forbid
auth_key: xxxxxxx
x_forwarded_for: ["0.0.0.0/0"]
verbosity: error
- name: "Allowing full access to kibana analytics server from localhost"
type: allow
auth_key: xxxxxxxxx
hosts: [127.0.0.1]
verbosity: error
- name: "Allow access to developers dashboard"
type: allow
groups: ["developers"]
kibana_access: rw
indices: [".kibana"]
- name: "Allow access to application logs to the developers"
type: allow
groups: ["developers"]
actions: ["indices:admin/*", "indices:data/read/*", "cluster:monitor/*", "cluster:admin/*"]
indices: ["logstash-ops-*", ".kibana"]
With this config kibana hangs when perform a search in Discover tab. Any query resuts in a time-out and examinig request/response logs in the browser, it indeed seems that the response never comes back. Elasticsearch log indicates that all requests were allowed, however unfortunately, response never comes back. This is the only output in elasticsearch log:
[2017-05-25T12:53:47,421][INFO ][o.e.p.r.a.ACL ] request: { ID:2114639969-1318819892, TYP:FieldStatsRequest, USR:knesek, BRS:false, ACT:indices:data/read/field_stats, OA:127.0.0.1, IDX:logstash-ops-app-*, MET:POST, PTH:/logstash-ops-app-*/_field_stats, CNT:<OMITTED, LENGTH=178>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow write-only access to logs to the log collector system group->[actions->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allow access to developers dashboard->[kibana_access->true, indices->false]], [Allow access to application logs to the developers->[indices->true, groups->true, actions->true, verbosity->true]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T12:53:47,781][INFO ][o.e.p.r.a.b.r.i.IndicesSyncRule] found 1 subrequests
[2017-05-25T12:53:47,783][INFO ][o.e.p.r.a.ACL ] request: { ID:179488923-1873182215, TYP:MultiSearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[indices->true, groups->true, actions->true, verbosity->true]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow access to developers dashboard->[kibana_access->true, indices->false]] } matched block: Allow access to application logs to the developers match: true}
Attempt 2: Try to combine action rules for R-only on log indices and RW for kibana:
- name: "Allow write-only access to logs to the log collector system group"
type: allow
groups: ["logcollector"]
actions: ["indices:data/write/index", "indices:data/write/bulk*", "indices:admin/template/*", "indices:admin/create", "cluster:monitor/main"]
verbosity: error
- name: "Deny access to kibana user from outside reverse proxy server"
type: forbid
auth_key_sha256: xxxxxxxxxxx
x_forwarded_for: ["0.0.0.0/0"]
verbosity: error
- name: "Allowing full access to kibana analytics server from localhost"
type: allow
auth_key: xxxxxxxxx
hosts: [127.0.0.1]
verbosity: error
- name: "Allow access to application logs to the developers"
type: allow
groups: ["developers"]
actions: ["indices:admin/*", "indices:data/read/*", "cluster:monitor/*", "cluster:admin/*"]
kibana_access: rw
indices: ["logstash-ops-*", ".kibana"]
This works in a sense that discover searches do work, but now the action rules are preventing access to kibana index and dashboards cannot be edited.
[2017-05-25T13:02:09,464][INFO ][o.e.p.r.a.ACL ] request: { ID:669410367-2009641601, TYP:FieldStatsRequest, USR:knesek, BRS:false, ACT:indices:data/read/field_stats, OA:127.0.0.1, IDX:logstash-ops-app-*, MET:POST, PTH:/logstash-ops-app-*/_field_stats, CNT:<OMITTED, LENGTH=178>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T13:02:09,862][INFO ][o.e.p.r.a.b.r.i.IndicesSyncRule] found 1 subrequests
[2017-05-25T13:02:09,864][INFO ][o.e.p.r.w.r.SubRequestContext] id: 1035184604-486880334-sub-1803026945 - Not replacing in sub-request. Indices are the same. Old:[logstash-ops-app-2017.05.25] New:[logstash-ops-app-2017.05.25]
[2017-05-25T13:02:09,864][INFO ][o.e.p.r.a.ACL ] request: { ID:1035184604-486880334, TYP:MultiSearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/msearch, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]] } matched block: Allow access to application logs to the developers match: true}
[2017-05-25T13:02:09,866][INFO ][o.e.p.r.a.ACL ] request: { ID:1035184604-1803026945, TYP:SearchRequest, USR:knesek, BRS:false, ACT:indices:data/read/search, OA:127.0.0.1, IDX:logstash-ops-app-2017.05.25, MET:POST, PTH:/_msearch, CNT:<OMITTED, LENGTH=978>, HDR:authorization,Connection,content-length,content-type,Host,x-forwarded-for,x-forwarded-port,x-forwarded-proto, HIS:[Allow write-only access to logs to the log collector system group->[actions->false]], [Allow access to application logs to the developers->[kibana_access->true, indices->true, groups->true, actions->true, verbosity->true]], [Allowing full access to kibana analytics server from localhost->[auth_key->false]], [Deny access to kibana user from outside reverse proxy server->[auth_key_sha256->false]] } matched block: Allow access to application logs to the developers match: true}