Hi,
RoR 1.31.0
Elasticsearch 7.12.1
Kibana 7.12.1
Also tried with RoR 1.32.0 on Kibana (with 1.31.0 on Elasticsearch (more difficult to temp upgrade), also gives forbidden.
User with RW permissions on Kibana is not allowed to shorten URL’s.
I would asume even user with only RO permission on Kibana is allowed to shorten URL.
Dummy config:
access_control_rules:
- name: "Allow team X read access to all indices"
kibana_access: rw
kibana_hide_apps: ["Analytics|Maps", "Analytics|Overview", "Observability", "Security", "readonlyrest_kbn", "Management", "Enterprise Search"]
groups: ["X"]
users:
- username: theusersusersname
auth_key_sha256: his-sha-hash
groups: ["X"]
Results in:
[Allow team X read access to all indices-> RULES:[groups->true
kibana_hide_apps->true
kibana_access->false] RESOLVED:[user=theusersusersname;group=X;av_groups=X;indices=.kibana_7.12.1]]
The audit event shows it as:
PUT indices:data/write/index IndexRequest /.kibana_7.12.1/_create/url:462a9265e68b04ce59dfb0cc4b428c1b
A user with level unrestricted is allowed to shorten URL’s.
Could you please check?
Is my assumption that even a RO Kibana user should be able to shorten URL’s correct?