According to this section of the documentation: https://readonlyrest.com/documentation/index.html#Users_and_Groups--Local_users_and_groups
It reads that user bob is a member of team2 and team4. I would assume then, that bob would have access to index2 index3 and indices defined by team4.
Based on my implementation, I’m not seeing that as a result. Index access is limited to one of the groups they are added to. I want to configure access based on ldap group membership (ldap_authorization) But need to get this to work first.
Any ideas? I’m open to the fact that I might be approaching this all wrong. It’s just not how it works.
Here’s what I’ve got configured:
readonlyrest:
audit_collector: 'true'
prompt_for_basic_auth: 'false'
ldaps:
-
search_user_base_DN: 'cn=users,dc=example,dc=com'
port: '636'
search_groups_base_DN: 'cn=groups,dc=example,dc=com'
host: ldapserver.example.com
name: ldap1
unique_member_attribute: Member
ssl_trust_all_certs: 'true'
access_control_rules:
### SERVICE ACCOUNTS
-
name: '::KIBANA-SRV::'
auth_key: 'kibana:kibana'
verbosity: error
-
name: '::ADMIN::'
auth_key: 'admin:admin'
### GROUPS
-
name: "::KIBANA_GRP::"
groups: ["KIBANA Access"]
kibana_access: rw
kibana_hide_apps: ["readonlyrest_kbn", "kibana:management", "timelion"]
-
name: "General Access"
groups: ["General Access"]
indices: ["shakespeare", "consumer_data"]
kibana_hide_apps: ["readonlyrest_kbn", "kibana:management", "timelion"]
-
name: "Financial Access"
groups: ["Financials Access"]
indices: ["fin-*"]
kibana_hide_apps: ["readonlyrest_kbn", "kibana:management", "timelion"]
-
name: "::ADMIN_GRP::"
groups: ["ROR (admin)"]
### USERS
users:
-
username: "superuser"
ldap_authentication:
name: "ldap1"
groups: ["ROR (admin)"]
-
username: "user1"
ldap_authentication:
name: "ldap1"
groups: ["KIBANA Access", "General Access"]
-
username: "finuser2"
ldap_authentication:
name: "ldap1"
groups: ["KIBANA Access", "General Access", "Financials Access"]