If you want to grant access permissions on items such as clusters, indexes, and fields, you can use the role-based access control (RBAC) mechanism that is provided by the X-Pack plug-in of Elasticsearch. This mechanism allows you to grant permissions to custom roles and assign the roles to users to implement access control. Elasticsearch provides a variety of built-in roles. You can create custom roles based on the built-in roles to meet your business requirements. This topic describes how to create and configure a custom role to implement access control.

Background information

Procedure

Note This topic provides the operations on a V6.7 cluster and operations on a V7.X cluster. Operations on clusters of other versions may differ. The actual operations in the console prevail.
  1. Create a role.
    1. Log on to the Kibana console and go to the Kibana homepage as prompted.
      For more information, see Log on to the Kibana console.
    2. Go to the configuration management page.
      • V6.7 cluster: In the left-side navigation pane, click Management.
      • V7.X cluster: Click the Show icon icon in the upper-left corner and choose Management > Stack Management.
    3. In the Security section, click Roles.
    4. In the Roles section, click Create role. Then, configure the following parameters.
      Enter role information
      ParameterDescription
      Role nameThe name of the role.
      Cluster privilegesThe operation permissions on the cluster, such as the permissions to view the health status and settings of the cluster and the permission to create snapshots. For more information, see Cluster privileges.
      Run As privilegesThe user who assumes the role. This parameter is optional. If you do not configure this parameter, you can assign the role to a user when you create the user. For more information, see Create a user.
      Index privilegesThe operation permissions on indexes. For example, if you want to grant the role the read-only permissions on all fields in all indexes, set the Indices parameter to an asterisk (*) and the Privileges parameter to read. You can set the Indices parameter to an asterisk or regular expression. For more information, see Indices privileges. When you configure the Index privileges parameter, you need to configure the following parameters:
      • Indices: the index pattern, such as heartbeat-*.
        Note If no index patterns are available, click Index Pattern in the Kibana section of the Management page and create an index pattern as prompted.
      • Privileges: the permissions that you want to grant to the role.
      • Granted fields (optional): the fields on which you want to grant permissions. This parameter is optional.
      Kibana privilegesThe operation permissions on Kibana.
      Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.
      When you create a role, you must grant permissions to the role. In this example, the following permissions are granted:
    5. Click Create role.
  2. Create a user and assign the role to the user.
    1. Go to the configuration management page.
      • V6.7 cluster: In the left-side navigation pane, click Management.
      • V7.X cluster: Click the Show icon icon in the upper-left corner and choose Management > Stack Management.
    2. In the Security section, click Users.
    3. In the upper-right corner of the Users section, click Create new user. Then, configure the following parameters.
      Create a user
      ParameterDescription
      UsernameThe username, which is used to log on to the Kibana console. Specify a username based on your business requirements.
      PasswordThe password of the user, which is used to log on to the Kibana console. Specify a username based on your business requirements.
      Confirm passwordThe value must be the same as that of the Password parameter.
      Full nameThe full name of the user. Specify a full name based on your business requirements.
      Email addressThe email address of the user.
      RolesThe role that you want to assign to the user. You can specify one or more roles. The roles can be built-in or custom roles.
      Important If you specify a user when you create a role, you still need to specify this parameter. Otherwise, an error is reported when you log on to the Kibana console as the user.
    4. Click Create user.
  3. Log on to the Kibana console as the user and perform operations to check whether the user has the related permissions.

Configure read-only permissions on indexes

Scenario

Grant the read-only permissions on a specific index to a common user. In this case, the user can be used to query data from the index in the Kibana console but cannot access clusters.

Role configuration

Read-only permissions on a specific index
Table 1. Permission description
Permission typePermission keyPermission valueDescription
Index privilegesindiceskibana_sample_data_logsThe name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
privilegesreadThe read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
Granted fields (optional)*The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privilegesprivilegesreadThe read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

  • Log on to the Kibana console as the common user and run an index read command. The system returns results as expected.
    GET /kibana_sample_data_logs/_search
  • Run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.
    POST /kibana_sample_data_logs/_doc/1
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
    Verify the read-only permissions

Configure operation permissions on dashboards

Scenario

Grant the read-only permissions on a specific index and the permissions to view the dashboards for the index to a common user.

Role configuration

When you create the user, assign the read-index and kibana_dashboard_only_user roles to the user. Role configuration
  • read-index: a custom role. You must manually create the role. This role has read-only permissions on the specific index.
  • kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for the index.
    Note
    • In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you need to only configure the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
    • The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, in the Dashboard section of the page that appears, set the Dashboards only roles parameter to the custom role. The default value of this parameter is kibana_dashboard_only_user.

Verification

Log on to the Kibana console as the common user and view the dashboards for the specific index. View dashboards

Configure read and write permissions on indexes and read-only permissions on your cluster

Scenario

Grant the read, write, and delete permissions on specific indexes and the read-only permissions on your cluster and Kibana to a common user.

Role configuration

Read and write permissions on indexes and read-only permissions on a cluster
Table 2. Permission description
Permission typePermission keyPermission valueDescription
Cluster privilegescluster monitorThe read-only permissions on the cluster, such as the permissions to view the running status, health status, hot threads, node information, and blocked tasks of the cluster.
Index privilegesindicesheartbeat-*,library*The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges.
privilegesreadThe read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
create_indexThe permission to create indexes. If you want to specify an alias for an index when you create the index as the user, you must grant the manage permission to the user.
Important The alias must meet the matching rules that are defined by the Indices parameter.
view_index_metadataThe read-only permissions on index metadata. The permissions include the permissions to call the following APIs: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm.
writeThe permission to perform all write operations on documents. The operations include mapping updates and the operations that are performed by calling the index, update, delete, or bulk API. The write permission involves more operation permissions than the create and index permissions.
monitorThe permission to monitor all operations. The operations include the operations that are performed by calling the index recovery, segments info, index stats, or status API.
deleteThe permission to delete documents.
delete_indexThe permission to delete indexes.
granted fields*The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privilegesprivilegesreadThe read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

Log on to the Kibana console as the common user and run the following commands. The system returns results as expected. Verification
  • View the details about indexes in the cluster
    GET /_cat/indices?v
  • View the status of the cluster
    GET /_cluster/stats
  • Query data in the product_info index
    GET /product_info/_search
  • Query data in the product_info1 index
    GET /product_info1/_search
  • Use a POST request to write data to the kibana_sample_data_logs index
    POST /kibana_sample_data_logs/_doc/2
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
  • Use a PUT request to write data to the product_info2 index
    PUT /product_info2/_doc/1
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
  • Delete the product_info index
    DELETE product_info

Configure read-only permissions on the Discover page and a specific index

Scenario

Grant the read-only permissions on the Discover page of the Kibana console and the read-only permissions on a specific index to a common user. This way, the user can be used to view the data in the index on the Discover page.

Role configuration

Read-only permissions on the Discover page and a specific index
Table 3. Permission description
Permission typePermission keyPermission valueDescription
Cluster privilegesPrivilegesmonitorThe read-only permissions on your cluster, such as the permissions to view the running status, health status, hot threads, node information, node and cluster statistics, and blocked tasks of the cluster.
Index privilegesIndiceskibana_sample_data_ecommerceThe name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
PrivilegesreadThe read-only permissions on the index. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
Granted fields (optional)*The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privilegesPrivilegesreadThe read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space. For example, when you assign the read-only permissions on the Discover page of the Kibana console, you must specify a Kibana space.

Verification

Log on to the Kibana console as the common user and view the data in the index on the Discover page. View index data on the Discover page

Configure permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents

Scenario

Grant the permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents to a common user. In addition, prohibit the user from logging on to the Kibana console.

Role configuration

Role configuration
Table 4. Permission description
Permission typePermission keyPermission valueDescription
Index privilegesIndicestest*The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
Privilegescreate_indexThe permission to create indexes. If you want to specify an alias for an index when you create the index as the user, you must grant the manage permission to the user.
delete_indexThe permission to delete indexes.
indexThe permission to index documents, update documents, and update index mappings.
deleteThe permission to delete documents.
readThe read-only permissions on indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
manageThe permission to manage indexes. The management operations that you can perform include the operations that are performed by calling the aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, or validate API.
Granted fields (optional)*The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privilegesPrivilegesnoneThe default value of this parameter is none. This value indicates that no spaces are authorized to access Kibana.
Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

  • Access your cluster, create an index in the cluster, and delete the index. Create and delete an index
  • Modify the configurations of an index. In this example, the data in the index is specified as cold data. Modify index configurations
  • Add, remove, modify, and query documents. Add, remove, modify, and query documents
  • Log on to the Kibana console.
    The system prompts that the user does not have the required permissions. Log on to the Kibana console