Hello ROR Team,
Below is the use case we have.
We have customers for whom we manage log data. For each kind of log data they have different indices. The indices pattern is kind of controlled by our logstash configuration like below.
<CustomerName>_<CATEGORY>_<CustomerId>_*****
Now our aim to achieve the below tasks.
-
When a user from Customer A with Viewer Permission, logins he should only see dashboards/visualization/indices/index patterns configured for that customer.
-
When a user from Customer A with ReadWrite permission logins, he should be able to see dashboards/visualizations/indices/index patterns of that customer only and be able to define additional ones.
One way to achieve this in ROR, is to have RO/RW/Admin groups for each customer and define users for it. But this is not going to be manageable for us.
Below is what I tried and it seems to be working. But we want to make sure there are hidden gotchas that we should worry about.
- name: “::READONLY::”
kibana_access: ro
kibana_index: “.kibana-cfxdls-@{user}”
verbosity: error
jwt_auth:
name: “jwt_provider_1”
roles: [“viewer”]
indices: [".kibana-cfxdls-@{user}", “ *@{user}* ”]
kibana_hide_apps: [“readonlyrest_kbn”, “timelion”, “kibana:dev_tools”, “kibana:management”]
- name: “::READWRITE::”
kibana_access: rw
kibana_index: “.kibana-cfxdls-@{user}”
verbosity: error
jwt_auth:
name: “jwt_provider_1”
roles: [“writer”]
indices: [".kibana-cfxdls-@{user}", “ *@{user}* ”]
kibana_hide_apps: [“readonlyrest_kbn”, “timelion”, “kibana:dev_tools”]
- name: “::ADMIN::”
kibana_access: admin
kibana_index: “.kibana-cfxdls-@{user}”
verbosity: error
jwt_auth:
name: “jwt_provider_1”
roles: [“admin”]
indices: [".kibana-cfxdls-@{user}", “ *@{user}* ”]
jwt:
- name: jwt_provider_1
signature_algo: HMAC
signature_key: “wr8sFmw1jP9JpBjPGKJwvOJg4mIqAwMOaRZ7UrkhIgs_IqlORSEFVU3Go-Ozj9strEIb_NuLqdTCYz9IlZ-pa13S7lun7eyHwzHDKw8m-1LVq0hMUldT0JPLE7OQBY3hhnUk0gtfFW61x31frt7AMZuAPY9UbcaIbVfvwAb5xQgPlc1QkAA-uRfO2qUMPXRQcpIJSbWlqqZioFoAHUiJytRsg_QaWE1kmjHrkg1ueBZqaSXZyBQHnBepPvw8tX9dn-X1yTygiZZ9r1MNSNR64wXizXA8avzvDMMaJMiN1keLfntGjqV2yo6dPhvvc0YApQKpFXCmYsNSYBaHPQDQ5”
user_claim: cid
roles_claim: croles
header_name: Authorization
We are only defining 3 groups RO/RW/Admin. We use JWT for authentication and send customer id as part of the JWT. In the tenancy, we are defining index based on the @{user}. This means when Customer A logs in his kibana index and indices would be based on his customer id. Any dashboards he defines would be part of this customer id kibana index.
We are expecting this configuration would scale for any number of customers and we dont have to change ROR configuration for every new customer we onboard.
Also, i know there is a feature pending for parametrizing JWT fields into the groups. This would help in adding more rules based on our attributes.
Please let us know if this is a supported configuration and this would help expedite our qualification of the plugin.
Thanks,
Ravikanth