Hello,
We are having an issue when trying to use multitenancy with Kibana.
The config we are using is the following:
readonlyrest:
prompt_for_basic_auth: false
access_control_rules:
- name: "Full Admin Kibana"
groups: ["full-admin"]
indices: ["*"]
kibana_access: "admin"
- name: "Full Admin Users"
groups: ["full-admin"]
indices: ["*"]
actions: ["*"]
- name: "Allow p11001 0"
groups: ["p11001_admin"]
actions: ["indices:admin/*", "cluster:admin/*"]
- name: "p11001 Admin Group Kibana"
groups: ["p11001_admin"]
indices: [".kibana_p11001_admin", "p11001*"]
kibana_index: ".kibana_p11001_admin"
kibana_access: "rw"
- name: "p11001 Admin Group 0"
groups: ["p11001_admin"]
indices: ["p11001*"]
actions: ["*"]
proxy_auth_configs:
- name: "px1"
user_id_header: "x-forwarded-user"
users:
- username: "fulladmin"
groups: ["full-admin"]
auth_key_sha256: "auth_key"
- username: "abcd"
groups: ["p11001_admin"]
proxy_auth:
proxy_auth_config: "px1"
users: ["abcd"]
The issue we are having is that when in the Allow group we add "cluster:admin/*"
, the user “abcd” won’t be able to login because it won’t have any default space available(the kibana_index: “.kibana_p11001_admin” won’t be created).
If we add anything else after admin/ (e.g."cluster:admin/i*"
or "cluster:admin/ilm/*"
) the user will be able to login.
We want the user to be able to access all the actions under cluster:/admin, without specifying all of them in the ROR config.
Also, we are using ES + KB 7.6.2 with Enterprise ROR 1.22.1.
Any help will be appreciated.