Tenant with ReadWrite, Readonly user groups


(Ravikanth) #1

Hello,

I am exploring the enterprise edition of the kibana plugin. Below is our requirement. We want to create 1 Tenant per customer. We want to define ReadWrite and ReadOnly group for that customer. Once created we want to assing users to each group.

For ReadWrite, we want to provide access with .kibana_access: rw
For ReadOnly, we want to provide access with .kibana_access: ro_strict and also disable certain menus.

I was able to achieve this by defining 2 Tenants for the same customer (ReadWrite Tenant-Customer1 and ReadOnly Tenant-Customer1). I am expecting this shouldnt be this way. We should be able to define 1 tenant and control the permissions at the group level.

Please help with sample configuration, so that i can build around it.

Thanks,
Ravikanth


(Simone Scarduzio) #2

Hello @ravjanga,

I think you are describing a scenario very similar to the one described in our multi tenancy guide. Right?


(Ravikanth) #3

Thanks for the pointer.

With what is specified in the document, I am getting error.

[2019-01-25T20:28:15,881][ERROR][t.b.r.e.IndexLevelActionFilter] [********] Cannot configure ReadonlyREST plugin
tech.beshu.ror.commons.settings.SettingsMalformedException: ACL Block names should be unique! Found more than one ACL block with the same name: ::RO::

Essentially it is ACL block is same.

###########################
# Tenant - Customer1
###########################
- name: “::RO::”
auth_key: customer1-ro:abcd123$
kibana_access: ro
indices: [ “.kibana-cfxdls-customer1”, “logstash-2018*”]
kibana_hide_apps: [“kibana:discover”, “kibana:visualize”, “readonlyrest_kbn”, “timelion”, “kibana:dev_tools”, “kibana:management”]
kibana_index: “.kibana-cfxdls-customer1”
- name: “::RW::”
auth_key: customer1-rw:abcd123$
kibana_access: rw
indices: [ “.kibana-cfxdls-customer1”, “logstash-2018*”]
kibana_hide_apps: [“readonlyrest_kbn”, “timelion”, “kibana:dev_tools”, “kibana:management”]
kibana_index: “.kibana-cfxdls-customer1”
- name: “::ADMIN::”
auth_key: customer1-admin:abcd123$
kibana_access: admin
indices: [".kibana_ops", “logstash-*”]
kibana_index: “.kibana-cfxdls-customer1”

###########################
# Tenant - Customer2
###########################
- name: “::RO::”
auth_key: customer2-ro:abcd123$
kibana_access: ro
indices: [ “.kibana-cfxdls-customer2”, “logstash-2018*”]
kibana_hide_apps: [“kibana:discover”, “kibana:visualize”, “readonlyrest_kbn”, “timelion”, “kibana:dev_tools”, “kibana:management”]
kibana_index: “.kibana-cfxdls-customer2”
- name: “::RW::”
auth_key: customer2-rw:abcd123$
kibana_access: rw
indices: [ “.kibana-cfxdls-customer2”, “logstash-2018*”]
kibana_hide_apps: [“readonlyrest_kbn”, “timelion”, “kibana:dev_tools”, “kibana:management”]
kibana_index: “.kibana-cfxdls-customer2”
- name: “::ADMIN::”
auth_key: customer2-admin:abcd123$
kibana_access: admin
indices: [".kibana_ops", “logstash-*”]
kibana_index: “.kibana-cfxdls-customer2”


(Simone Scarduzio) #4

As per other topic, we updated the documentation to satisfy the unicity constraint on ACL block names.