Hi @sscarduzio,
yes, the above test case is still valid. For example we have user1
, which is an ldap user that is part of both administrators
and developers
groups, as below.
- username: user1
groups: ["administrators", "developers"]
ldap_authentication:
name: ldapserver1
cache_ttl_in_sec: 600
- name: administrators
indices: ["default-index", ".monitoring*", ".kibana*", "ls-*", "mbeat-*"]
kibana_access: admin
kibana_index: ".kibana"
groups: ["administrators"]
- name: developers
indices: [".kibana_app_developers", "default-index", "ls-app-*"]
kibana_access: rw
kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "monitoring", "apm", "infra:home", "infra:logs"]
kibana_index: ".kibana_app_developers"
groups: ["developers"]
Plugin version (ES/Kibana 6.5.4):
GET _cat/plugins
10.10.10.10 readonlyrest 1.17.4
To reproduce, we do the following:
-
user1
logs on to Kibana, multi-tenancy defaults to the administrators
role
-
user1
then goes to the Monitoring
tab (correct username is reflected at bottom right)
-
user1
then chooses the developers
role from the multi-tenancy drop-down (to which the role has no access to)
- at this point the session is switched to the user context of kibana server, which is reflected at the bottom left corner. The session remains this way until the user is logged off.
I did test all the other tabs, and it appears this only happens with the Monitoring tab. For all the other tabs that are hidden from the developers
role, the user is just taken to the main Kibana landing page without the session being switched.