Not able to use separate .kibana indices for LDAP groups

Hi!

We’ve been using RoR Free for a while. We are using LDAP as auth backend, and it works just fine.

Now we want to use separate spaces for groups of users. My readonlyrest.yml looks like this (only relevant sections shown):

readonlyrest:
  enable: true
  access_control_rules:
  - name: group1
    ldap_authentication: ldap1
    ldap_authorization:
      name: ldap1
      groups:
      - my-group
    indices:
    - data-*
    - "[email protected]{acl:current_group}"
    kibana_index: "[email protected]{acl:current_group}"
    kibana_access: ro

But then I get FORBIDDEN in ES logs. I thought I should add kibana.index: [email protected]{acl:current_group} to kibana.yml but then I get "Another Kibana instance appears to be migrating the index. Waiting for that migration to complete. If no other Kibana instance is attempting migrations, you can get past this message by deleting index [email protected]{acl:current_group}_1 and restarting Kibana." on Kibana restart. The result is the same with readonlyrest_kbn and without it.

How should I proceed? Is this feature is PRO or Enterprise only? If so, could you, please, specify editions to which configuration directive is applicable?

You have an indentation problem. You re putting ACL rules under ldap_authorization. I suggest moving indices, kibana_index and kibana access above the ldap* rules.

Thank you for pointing out, it was just a formatting issue. Of course, I have this config working on my RoR node. Edited my original post for consistency.

My question is mostly: how does kibana_index setting works in case when Kibana doesn’t have ror_kbn plugin installed. Do I need to install kibana plugin? What should I set in kibana.yml file for kibana.index?

I think if you install our kibana free plugin, and add xpack.security.enabled: false to kibana.yml it should work.
I assume you already set up elasticsearch credentials in it.

They will just not be able to switch between tenancies, and you won’t be able to hide kibana apps, or tweak kibana appearance with css/js.
Also, the ror settings editor won’t work in free. You’re stuck editing the yaml files and restarting all nodes.

So, in order to get kibana_index work, I should modify Kibana’s kibana.index setting, right? And this will work only when ror_kbn plugin is installed, am I right?

no you don’t need to change the kibana index in kibana.yml, ror will change dynamically when Kibana handles a specific http request.