Which node should we update the readonlyrest.yml file

Hi , I am having ELK setup of 6.4.0 and currently have the readonlyrest.yml file on all node , but if I want to add/change any rules which file should I update , I mean in which node master , data or client ?

  1. I see .readonlyrest index is created , so does this mean that we no longer need to maintain readonlyrest.yml and can be managed by data stored in index itself ?

  2. Seeing an issue as when I update the readonlyrest from kibana UI then kibana stops working as after that I see no index pattern , visuals and dashboard … What could be an issue ?
    Though it works after restart …

Hi @prashanttct07,

Once you start using our Kibana plugins and their web based settings editor, a .readonlyrest indes will be created, and the settings contained there will override the YAML file.

So yes normally readonlyrest.yml will be read on node restart, checked syntactically, but almost immediately, the in-index settings will take control.

In the unlucky case you lock yourself out editing in-index settings, you will need to disable ReadonlyREST plugin, and delete the .readonlyrest index:

curl -XDELETE 'http://es_host:9200/.readonlyrest 

Now the settings in readonlyrest.yml will be loaded.

So the main idea is that you configure some failsafe local admin account in readonlyrest.yml and all your finegrained settings should live in the index.

HI @sscarduzio : Thanks for the detailed answers , so do we still need to maintain readonlyrest.yml file as if we have that stored under the index…

  1. Just a ques as when we setup multi node cluster do we need to add this plugin and conf in all nodes or only in master eligible nodes?

  2. Seeing an issue : when I update the readonlyrest from kibana UI then kibana behaves strange and sometime visuals , index patterns and dashboards are out of sync… Further if I restart then it starts working but behaves strange,

  3. Another issue , I have admin user (say kibana) which creates an index as .kibana and have 250 objects , now I import same 250 to another user say prashant and creates under .kibana-prashant… After that I delete 20 objects from prashant … So what I see is when I login back again to kibana user I see only 230 objects (here the one I deleted from prashant as user are not shown for kibana too)…
    On further check if I query to elastic as :
    GET _cat/indices/.kibana*

Here I see 250 for .kibana and 230 for .kibana-prashant , but while logging in with kibana user I don’t see those 20 deleted one ? Any idea what is wrong , also on restart of kibana sometime it works and sometime it doesn’t…

You need to maintain readonlyrest.yml yes, but it won’t change much as per strategy it’s going to contain very basic, static users designed for emergency maintenance.

When you have many nodes in your ES cluster, you have to install ReadonlyREST plugin in all ES node only if you use filter or fields rule. Otherwise just think of this plugin as a filtering layer in Elasticsearch HTTP interface. This means that it would be sufficient to install it on cluster nodes that serve HTTP requests.
For example,.you could have a group of data nodes with HTTP completely disabled, and another group of nodes just for communication with Kibana/Logstash etc. with HTTP enabled with ReadonlyREST installed.

See relevant docs about deployment strategies.

About some inconsistencies in the UI after changing important settings in the ACL: keep in mind that Kibana has a browser side cache. Better logout and login again if your current user was affected by the changes.

Not sure about the objects count issue. Can you try to simplify your experiment up to a smaller reproducer we can experiment upon?