If you want to configure the access permissions on items such as clusters, indexes, and fields, you can use the role-based access control (RBAC) mechanism provided by Elasticsearch X-Pack. This mechanism allows you to grant permissions to custom roles and assign the roles to users for access control. Elasticsearch provides a variety of built-in roles. You can create custom roles based on the built-in roles to meet specific requirements. This topic describes how to create and configure a custom role to implement access control.

Background information

Procedure

  1. Create a role.
    For more information, see Create a role. The following table describes the related parameters.Enter role information
    Parameter Description
    Role name The name of the role.
    Run As privileges The user who assumes the role. This parameter is optional. If you do not specify this parameter, you can assign the role to a user when you create the user. For more information, see Create a user.
    Cluster privileges The operation permissions on the cluster, such as the permission to view the cluster health status and settings and the permission to create snapshots. For more information, see Cluster privileges.
    Index privileges The operation permissions on indexes. For example, you want to grant the role the permission to view all the fields in all indexes in read-only mode. In this case, set the Indices parameter to an asterisk (*) and the Privileges parameter to read. You can specify an asterisk or regular expression for the Indices parameter. For more information, see Indices privileges.
    Kibana privileges The operation permissions on Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support both base privileges and feature privileges. After you assign a base privilege to a role, the role automatically obtains the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
    When you create a role, you must grant permissions to the role. In this example, the following permissions are granted:
  2. Create a user and assign the role to the user.
    For more information, see Create a user.
  3. Use the user to log on to the Kibana console and perform authorized operations.
    For more information, see Log on to the Kibana console.

Configure read-only permissions on indexes

  • Scenario

    Grant a common user the read-only permissions on a specific index. The user can query the index data in the Kibana console but cannot access clusters.

  • Role configurationRead-only permissions on a specific index
    Table 1. Permissions
    Permission type Permission key Permission value Description
    Index privileges indices kibana_sample_data_logs The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices Privileges.
    privileges read The read-only permissions on the index. The read-only permissions include the permissions on the count, explain, get, mget, scripts, search, and scroll API operations. For more information, see privileges-list-indices.
    fileds * The index fields. The value * indicates all fields.
    Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support both base privileges and feature privileges. After you assign a base privilege to a role, the role automatically obtains the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
  • Verification
    Log on to the Kibana console by using the common user and run an index read command. The system returns results as expected. Then, run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.Verify the read-only permissions

Configure operation permissions on dashboards

  • Scenario

    Grant a common user the read-only permissions on a specific index and the permissions to view the dashboards for the index.

  • Role configuration

    When you create a user, assign the read-index and kibana_dashboard_only_user roles to the user.

    Role configuration
    • read-index: a custom role. You must manually create the role. This role has the read-only permissions on the specific index.
    • kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for the index.
      Notice
      • In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you can configure only the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
      • The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, find the Dashboard section on the page that appears and specify the custom role for the Dashboards only roles parameter. The default value of this parameter is kibana_dashboard_only_user.
  • Verification
    Log on to the Kibana console by using the common user and view the dashboards for the specific index.View dashboards

Configure read and write permissions on indexes and read-only permissions on clusters

  • Scenario

    Grant a common user the read, write, and delete permissions on specific indexes and the read-only permissions on clusters and Kibana.

  • Role configurationRead and write permissions on indexes and read-only permissions on clusters
    Table 2. Permissions
    Permission type Permission key Permission value Description
    Cluster privileges cluster monitor The read-only permissions on clusters, such as the permissions to view the statuses, health statuses, hot threads, node information, and blocked tasks of clusters.
    Index privileges indices heartbeat-*,library* The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges.
    privileges read The read-only permissions on the indexes. The read-only permissions include the permissions on the count, explain, get, mget, scripts, search, and scroll API operations. For more information, see privileges-list-indices.
    create_index The permission to create indexes. If you specify an alias when you create an index, you must grant the manage permission.
    Notice The alias must meet the matching rules that are defined by Indices.
    view_index_metadata The read-only permissions on index metadata. The permissions include the permissions on the following API operations: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm.
    write The permission to perform all write operations on documents. The operations include indexing, updates, deletion, bulk operations, and mapping updates. The write permission involves more operation permissions than the create and index permissions.
    monitor The permission to monitor all operations. The operations include the operations that you performed by calling the index recovery, segments info, index stats, or status API operation.
    delete The permission to delete documents.
    delete_index The permission to delete indexes.
    granted fields * The fields that you want to authorize. The value * indicates all fields.
    Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana.
    Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support both base privileges and feature privileges. After you assign a base privilege to a role, the role automatically obtains the access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has the access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.
  • Verification
    Log on to the Kibana console by using the common user and run the commands shown in the following figure. The system returns results as expected.Verification