RoR Enterprise 1.19.4
Elastic and Kibana 6.8.0
Lets say we have a config like:
- name: "RO access to kibana_test" indices: [".kibana_test"] kibana_access: ro kibana_index: ".kibana_test" groups: ["kibana_test_RO"] - name: "READ access to logstash" indices: ["logstash*"] actions: ["indices:data/read/*"] groups: ["READ_logstash"] users: - username: test_ro_user auth_key: test_ro_user:xxx groups: ["kibana_test_RO", "READ_logstash"]
I would expect that when test_ro_user would login he goes into the .kibana_test with RO rights on that Kibana (because he has the group kibana_test_RO as only group with a kibana index).
This also happens.
And because he is a member of the group READ_logstash he is allowed to read any index starting with logstash*.
This doesn’t happen
If I try this, the audit log gives a message “INDEX NOT EXIST” with this logic trail.
RESOLVED:[group=kibana_test_RO]] [RO access to kibana_test-> RULES:[groups->true kibana_access->true indices->false] RESOLVED:[user=test_ro_user;group=kibana_test_RO;av_groups=kibana_test_RO]] [READ access to logstash-> RULES:[groups->false] RESOLVED:[group=kibana_test_RO]]
The group READ_logstash doesn’t match while the user is a member of this group.
The user doesn’t have the possibility to switch to a different context (the dropdown menu isn’t present).
So it seems only the active group counts for the rights?
Why would I want this?
We run a multitenancy platform where multiple tenants should have read access to the same indices (and most users are also members of multiple tentants )
I would like to define one set of access rules where I define which groups have access to which kibana tentants.
And a seperate set of access rules where I can give access to certain data sets.
user1 has a group list like:
[“ro_kibana_tentant1”, “ro_kibana_tenant2”, “rw_kibana_tenant3”, “READ_salesdata”, “READ_visitors”]
And in tentant1, 2 and 3 the user would have access to salesdata and visitors (if the relevant index patterns are created ofcourse).
user2 has a group list like:
[“ro_kibana_tentant1”, “rw_kibana_tenant2”, “READ_salesdata”]
And in tenant1 and 2 this user only has access to salesdata
Is this possible?
Am I thinking completely wrong?
How would you approach this?
I am open for great suggestions because I am at the point “Can’t see the Wood for the Trees”