If you want to configure access permissions on items such as clusters, indexes, and fields, you can use the role-based access control (RBAC) mechanism that is provided by the X-Pack plug-in of Elasticsearch. This mechanism allows you to grant permissions to custom roles and assign the roles to users to implement access control. Elasticsearch provides a variety of built-in roles. You can create custom roles based on the built-in roles to meet specific requirements. This topic describes how to create and configure a custom role to implement access control.

Background information

Procedure

  1. Create a role.
    For more information, see Create a role. The following table describes the related parameters. Enter role information
    Parameter Description
    Role name The name of the role.
    Run As privileges The user who assumes the role. This parameter is optional. If you do not specify this parameter, you can assign the role to a user when you create the user. For more information, see Create a user.
    Cluster privileges The operation permissions on the cluster, such as the permissions to view the cluster health status and settings and the permission to create snapshots. For more information, see Cluster privileges.
    Index privileges The operation permissions on indexes. For example, if you want to grant the role the read-only permissions on all fields in all indexes, set the Indices parameter to an asterisk (*) and the Privileges parameter to read. You can set the Indices parameter to an asterisk or regular expression. For more information, see Indices privileges.
    Kibana privileges The operation permissions on Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
    When you create a role, you must grant permissions to the role. In this example, the following permissions are granted:
  2. Create a user and assign the role to the user.
    For more information, see Create a user.
  3. Use the user to log on to the Kibana console and perform operations.
    For more information, see Log on to the Kibana console.

Configure read-only permissions on indexes

  • Scenario

    Grant a common user the read-only permissions on a specific index. In this case, the user can query the index data in the Kibana console but cannot access clusters.

  • Role configurationRead-only permissions on a specific index
    Table 1. Permissions
    Permission type Permission key Permission value Description
    Index privileges indices kibana_sample_data_logs The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices Privileges.
    privileges read The read-only permissions on the index. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
    Granted fields (optional) * The index fields. The value * indicates all fields.
    Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
  • Verification
    Use the common user to log on to the Kibana console and run an index read command. The system returns results as expected. Then, run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.
    GET /kibana_sample_data_logs/_search
    POST /kibana_sample_data_logs/_doc/1
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
    Verify the read-only permissions

Configure operation permissions on dashboards

  • Scenario

    Grant a common user the read-only permissions on a specific index and the permissions to view the dashboards for the index.

  • Role configuration

    When you create a user, assign the read-index and kibana_dashboard_only_user roles to the user.

    Role configuration
    • read-index: a custom role. You must manually create a custom role. This role has read-only permissions on the specific index.
    • kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for the index.
      Notice
      • In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you can configure only the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
      • The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, in the Dashboard section on the page that appears, set the Dashboards only roles parameter to the custom role. The default value of this parameter is kibana_dashboard_only_user.
  • Verification
    Use the common user to log on to the Kibana console and view the dashboards for the specific index. View dashboards

Configure read and write permissions on indexes and read-only permissions on clusters

  • Scenario

    Grant a common user the read, write, and delete permissions on specific indexes and the read-only permissions on clusters and Kibana.

  • Role configurationRead and write permissions on indexes and read-only permissions on clusters
    Table 2. Permissions
    Permission type Permission key Permission value Description
    Cluster privileges cluster monitor The read-only permissions on clusters, such as the permissions to view the running statuses, health statuses, hot threads, node information, and blocked tasks of clusters.
    Index privileges indices heartbeat-*,library* The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges.
    privileges read The read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
    create_index The permission to create indexes. If you specify an alias when you create an index, you must grant the manage permission to the user.
    Notice The alias must meet the matching rules that are defined by the Indices parameter.
    view_index_metadata The read-only permissions on index metadata. The permissions include the permissions to call the following APIs: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm.
    write The permission to perform all write operations on documents. The operations include indexing, updates, deletion, bulk operations, and mapping updates. The write permission involves more operation permissions than the create and index permissions.
    monitor The permission to monitor all operations. The operations include the operations that you performed by calling the index recovery, segments info, index stats, or status API.
    delete The permission to delete documents.
    delete_index The permission to delete indexes.
    granted fields * The fields that you want to authorize. The value * indicates all fields.
    Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
  • Verification
    Use the common user to log on to the Kibana console and run the following commands. The system returns results as expected.
    GET /_cat/indices?v
    GET /_cluster/stats
    GET /product_info/_search
    GET /product_info1/_search
    POST /kibana_sample_data_logs/_doc/2
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
    PUT /product_info2/_doc/1
    {
        "productName": "testpro",
        "annual_rate": "3.22%",
        "describe": "testpro"
    }
    DELETE product_info
    Verification