I’m trying to setup ROR to support two Kibana instances;
One instance, the “main” one, would be read-only, except for members of the administration group, who can make changes to dashboard, visualizations, searches, etc.
This instance uses an index named .kibana5
The other instance would be read-write for all. This is a “sandbox” instance where anyone can create new and edit existing objects.
This instance uses an index named .kibana5-sandbox
The general idea is to have a “clean” main instance with well-named and organized objects.
The other would be a playground for devs to create and test visualizations. When they’re happy with the result, the object would be exported and imported in the “main” instance.
I can’t figure out what would be the correct ROR configuration for this. At this point, I’m starting to think I might need to spawn another ES client node with a different ROR configuration for the sandbox instance, since the “kibana_access: ro” directive applies on any Kibana instances.
Here’s my current configuration. The missing piece is how to grant Kibana users access to the .kibana5-sandbox index, so they can save their changes on the sandbox instance.
- name: ":: KIBANA SERVER ::" auth_key: "kibana:password" hosts: [127.0.0.1] - name: ":: KIBANA SANDBOX ::" auth_key: "kibana-sandbox:password" hosts: [127.0.0.1] - name: ":: KIBANA ADMIN ::" kibana_access: rw ldap_auth: name: "AD" groups: [ "LogStash_Admins" ] - name: ":: RO USERS ::" kibana_access: ro kibana_hide_apps: [ "readonlyrest_kbn", "kibana:management" ] ldap_auth: name: "AD" groups: [ "LogStash_Users" ]
Any guidance is much appreciated !