If it can help, here is my readonlyrest.yml config:
readonlyrest:
audit_collector: true
access_control_rules:
- name: "::AD ADMIN::"
ldap_auth:
name: "activedirectory"
groups: ["admins"]
type: allow
verbosity: error
- name: "::AD ONE GROUP::"
ldap_auth:
name: "activedirectory"
groups: ["onegroup"]
kibana_access: ro
indices: [".onegroup", <bunch of other indices>]
kibana_index: ".onegroup"
verbosity: error
- name: "::AD OTHER GROUP::"
ldap_auth:
name: "activedirectory"
groups: ["othergroup"]
kibana_access: ro
indices: [".othergroup", <bunch of other indices>]
kibana_index: ".othergroup"
verbosity: error
- name: "::ONE GROUP ADMIN::"
auth_key: onegroup:onegroup
kibana_access: rw
indices: [".onegroup", <bunch of other indices>]
kibana_index: ".onegroup"
verbosity: error
- name: "::OTHER GROUP ADMIN::"
auth_key: othergroup:othergroup
kibana_access: rw
indices: [".othergroup", <bunch of other indices>]
kibana_index: ".othergroup"
verbosity: error
- name: "::KIBANA-SRV::"
auth_key: kibana:xxxxxx
type: allow
And the relevant logs once the default index pattern is modified:
[2019-03-25T15:44:28,715][INFO ][t.b.r.e.IndexLevelActionFilter] [my-es-host] Settings observer refreshing...
[2019-03-25T15:44:28,719][INFO ][t.b.r.r.SerializationTool] [my-es-host] no .onegrouptom audit log serialisers found, proceeding with default.
[2019-03-25T15:44:28,751][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::AD ADMIN::', policy: ALLOW, rules: [ldap_auth]}
[2019-03-25T15:44:28,751][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::AD ONE GROUP::', policy: ALLOW, rules: [ldap_auth, kibana_access, indices, kibana_index]}
[2019-03-25T15:44:28,751][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::AD OTHER GROUP::', policy: ALLOW, rules: [ldap_auth, kibana_access, indices, kibana_index]}
[2019-03-25T15:44:28,751][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::ONE GROUP ADMIN::', policy: ALLOW, rules: [auth_key, kibana_access, indices, kibana_index]}
[2019-03-25T15:44:28,751][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::OTHER GROUP ADMIN::', policy: ALLOW, rules: [auth_key, kibana_access, indices, kibana_index]}
[2019-03-25T15:44:28,752][INFO ][t.b.r.a.ACL ] [my-es-host] ADDING BLOCK: { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]}
[2019-03-25T15:44:28,752][INFO ][t.b.r.e.IndexLevelActionFilter] [my-es-host] Configuration reloaded - ReadonlyREST enabled
[2019-03-25T15:44:28,773][INFO ][t.b.r.e.SettingsObservableImpl] [my-es-host] all ok, written settings
[2019-03-25T15:44:39,959][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:1962194496-1122009013#24162273, TYP:CreateIndexRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:admin/create, OA:<kibana ip>, DA:<es ip>, IDX:.onegroup, MET:PUT, PTH:/.onegroup, CNT:<OMITTED, LENGTH=3024>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=3024}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:44:39,982][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:2131611748-1949012630#24162275, TYP:ReindexRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:data/write/reindex, OA:<kibana ip>, DA:<es ip>, IDX:, MET:POST, PTH:/_reindex?refresh=true&wait_for_active_shards=all, CNT:<OMITTED, LENGTH=138>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=138}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:44:41,782][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:1306909829-1591218567#24162328, TYP:PutIndexTemplateRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:admin/template/put, OA:<kibana ip>, DA:<es ip>, IDX:.onegroup, MET:PUT, PTH:/_template/kibana_index_template%3A.onegroup, CNT:<OMITTED, LENGTH=3024>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=3024}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:44:41,790][INFO ][o.e.c.m.MetaDataIndexTemplateService] [my-es-host] adding template [kibana_index_template:.onegroup] for index patterns [.onegroup]
[2019-03-25T15:44:51,950][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:104823682-1993644643#24162836, TYP:PutIndexTemplateRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:admin/template/put, OA:<kibana ip>, DA:<es ip>, IDX:.onegroup, MET:PUT, PTH:/_template/kibana_index_template%3A.onegroup, CNT:<OMITTED, LENGTH=3024>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=3024}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:44:51,957][INFO ][o.e.c.m.MetaDataIndexTemplateService] [my-es-host] adding template [kibana_index_template:.onegroup] for index patterns [.onegroup]
[2019-03-25T15:45:03,082][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:797550172-1338405730#24163385, TYP:CreateIndexRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:admin/create, OA:<kibana ip>, DA:<es ip>, IDX:.onegroup, MET:PUT, PTH:/.onegroup, CNT:<OMITTED, LENGTH=3024>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=3024}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:45:03,104][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:877396540-751578736#24163387, TYP:ReindexRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:data/write/reindex, OA:<kibana ip>, DA:<es ip>, IDX:, MET:POST, PTH:/_reindex?refresh=true&wait_for_active_shards=all, CNT:<OMITTED, LENGTH=138>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=138}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m
[2019-03-25T15:45:04,474][INFO ][t.b.r.a.ACL ] [my-es-host] ESC[36mALLOWED by { name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]} req={ ID:1171508911-1101117123#24163519, TYP:PutIndexTemplateRequest, CGR:N/A, USR:kibana, BRS:false, KDX:null, ACT:indices:admin/template/put, OA:<kibana ip>, DA:<es ip>, IDX:.onegroup, MET:PUT, PTH:/_template/kibana_index_template%3A.onegroup, CNT:<OMITTED, LENGTH=3024>, HDR:{Authorization=<OMITTED>, Connection=keep-alive, content-type=application/json, Host=my-es-host.example.com:9200, Content-Length=3024}, HIS:[::AD ADMIN::->[ldap_authentication->false]], [::AD ONE GROUP::->[ldap_authentication->false]], [::AD OTHER GROUP::->[ldap_authentication->false]], [::OTHER GROUP ADMIN::->[auth_key->false]], [::ONE GROUP ADMIN::->[auth_key->false]], [::KIBANA-SRV::->[auth_key->true]] } ESC[0m