If you want to grant access permissions on items such as clusters, indexes, and fields, you can use the role-based access control (RBAC) mechanism that is provided by the X-Pack plug-in of Elasticsearch. This mechanism allows you to grant permissions to custom roles and assign the roles to users to implement access control. Elasticsearch provides a variety of built-in roles. You can create custom roles based on the built-in roles to meet your business requirements. This topic describes how to create and configure a custom role to implement access control.
Background information
- Elasticsearch supports the RBAC mechanism that is provided by the X-Pack plug-in. For more information, see User authorization.
- Elasticsearch supports various security authentication features. For more information, see Identity authentication and authorization in Elasticsearch.
Procedure
- Create a role.
- Create a user and assign the role to the user.
- Use the user to log on to the Kibana console and perform operations to check whether the user has the related permissions.
Configure read-only permissions on indexes
- Scenario
Grant the read-only permissions on a specific index to a common user. In this case, the user can query data from the index in the Kibana console but cannot access clusters.
- Role configuration
Table 1. Permissions Permission type Permission key Permission value Description Index privileges indices kibana_sample_data_logs The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices Privileges. privileges read The read-only permissions on the index. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices. Granted fields (optional) * The fields in the index. The value * indicates all fields. Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space. - Verification
Use the common user to log on to the Kibana console and run an index read command. The system returns results as expected. Then, run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.
GET /kibana_sample_data_logs/_search
POST /kibana_sample_data_logs/_doc/1 { "productName": "testpro", "annual_rate": "3.22%", "describe": "testpro" }
Configure operation permissions on dashboards
- Scenario
Grant the read-only permissions on a specific index and the permissions to view the dashboards for the index to a common user.
- Role configuration
When you create a user, assign the read-index and kibana_dashboard_only_user roles to the user.
- read-index: a custom role. You must manually create a custom role. This role has read-only permissions on the specific index.
- kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for
the index.
Notice
- In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you need only to configure the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
- The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, in the Dashboard section on the page that appears, set the Dashboards only roles parameter to the custom role. The default value of this parameter is kibana_dashboard_only_user.
- Verification
Use the common user to log on to the Kibana console and view the dashboards for the specific index.
Configure read and write permissions on indexes and read-only permissions on clusters
- Scenario
Grant the read, write, and delete permissions on specific indexes and the read-only permissions on clusters and Kibana to a common user.
- Role configuration
Table 2. Permissions Permission type Permission key Permission value Description Cluster privileges cluster monitor The read-only permissions on clusters, such as the permissions to view the running statuses, health statuses, hot threads, node information, and blocked tasks of clusters. Index privileges indices heartbeat-*,library* The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges. privileges read The read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices. create_index The permission to create indexes. If you specify an alias when you create an index, you must grant the manage permission to the user. Notice The alias must meet the matching rules that are defined by the Indices parameter.view_index_metadata The read-only permissions on index metadata. The permissions include the permissions to call the following APIs: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm. write The permission to perform all write operations on documents. The operations include the operations that are performed by calling the index, update, delete, or bulk API and mapping updates. The write permission involves more operation permissions than the create and index permissions. monitor The permission to monitor all operations. The operations include the operations that are performed by calling the index recovery, segments info, index stats, or status API. delete The permission to delete documents. delete_index The permission to delete indexes. granted fields * The fields on which you want to grant permissions. The value * indicates all fields. Kibana privileges privileges read The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space. - Verification
Use the common user to log on to the Kibana console and run the following commands. The system returns results as expected.
- View the details about indexes in a cluster
GET /_cat/indices?v
- View the status of a cluster
GET /_cluster/stats
- Query data in the product_info index
GET /product_info/_search
- Query data in the product_info1 index
GET /product_info1/_search
- Use a POST request to write data to the kibana_sample_data_logs index
POST /kibana_sample_data_logs/_doc/2 { "productName": "testpro", "annual_rate": "3.22%", "describe": "testpro" }
- Use a PUT request to write data to the product_info2 index
PUT /product_info2/_doc/1 { "productName": "testpro", "annual_rate": "3.22%", "describe": "testpro" }
- Delete the product_info index
DELETE product_info
- View the details about indexes in a cluster