Kibana ROR Multi tenancy with JWT


(Mohankumar) #1

Hi Simone,

I have indexed customer data based on customer partition like follows,

perimeter-customerA-2018-11-09
perimeter-customerB-2018-11-09
perimeter-customerC-2018-11-09

So i would like to authenticate the users using JWT Token, In the documentation i have read we can pass the roles permission and the user name in the jwt token,

How can we define the indices policy per user , In my case

User john need access with perimeter-customerA-2018-11-09 and
User peter need access with perimeter-customerB-2018-11-09

In the below how can we map the user with indices

readonlyrest:
    access_control_rules:
    - name: Valid JWT token with a viewer role
      kibana_access: ro
      jwt_auth:
        name: "jwt_provider_1"
        roles: ["viewer"]
        
    - name: Valid JWT token with a writer role
      kibana_access: rw
      jwt_auth:
        name: "jwt_provider_1"
        roles: ["writer"]
        
    jwt: 
    - name: jwt_provider_1
      signature_algo: RSA
      signature_key: "your_signature"
      user_claim: email
      roles_claim: resource_access.client-app.roles # JSON-path style
      header_name: Authorization

Looking forward for your answer .


(Simone Scarduzio) #2

Hi @mohankumar!

You can refer to the current username as a dynamic variable within many rules, including the indices rule. To follow your requirement, something like this would probably do the trick:

readonlyrest:
    access_control_rules:
    - name: Valid JWT token with a viewer role
      kibana_access: ro
      jwt_auth:
        name: "jwt_provider_1"
        roles: ["viewer"]
      indices: [".kibana", "[email protected]*"]
        
    - name: Valid JWT token with a writer role
      indices: [".kibana", "[email protected]*"]
      kibana_access: rw
      jwt_auth:
        name: "jwt_provider_1"
        roles: ["writer"]
        
    jwt: 
    - name: jwt_provider_1
      signature_algo: RSA
      signature_key: "your_signature"
      user_claim: email
      roles_claim: resource_access.client-app.roles # JSON-path style
      header_name: Authorization

Notice how:

  1. You need to allow the .kibana index within the list of allowed indices for kibana users
  2. The order in which you write the rules inside an ACL block does not count (I added the indices rule in different places in two similar ACL blocks).

(Mohankumar) #3

I got your point, I need little more clarification on the above

I have indices like

perimeter-1-2018-11-09
perimeter-2-2018-11-09
perimeter-3-2018-11-09
perimeter-4-2018-11-09
perimeter-5-2018-11-09

(The number 1,2,3,4,5 presented in the above indices are respective customer id’s)

But in user name ,i have to allow for some users to access more than one customer id’s

indices: [".kibana", "[email protected]*"]

Hope in the above @user will get the details from jwt claim of the user. but i have to map the different customer indices to specific user at run time.

Is there any possible way to send the multiple customerid’s by jwt and using dynamically

     indices: [".kibana", "[email protected]*",]

or

Is there any way to pass the indices dynamically with jwt token claim

Thanks
Mohankumar.S


(Simone Scarduzio) #4

Yes the @user variable comes from the value of the claim called like what you put in user_claim, that is “email” in your case.


As of today, JWT claims are not replaced as dynamic variables, but I don’t see why not to add this feature.

     indices: [".kibana", "[email protected]{jwt:jsonpath.to.string1}-*", "[email protected]{jwt:jsonpath.to.string2}-*"]

Would this help you?


(Mohankumar) #5

Sure , will try this. thanks