Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control - Best Practices| Alibaba Cloud Documentation Center

Background information

Elasticsearch supports the RBAC mechanism that is provided by the X-Pack plug-in. For more information, see User authorization.
Elasticsearch supports various security authentication features. For more information, see Identity authentication and authorization in Elasticsearch.

Procedure

Note An Elasticsearch V6.7.0 cluster is used in this topic. Operations on clusters of other versions may differ. The actual operations in the console prevail.

Create a role.

Log on to the Kibana console of your Elasticsearch cluster.
For more information, see Log on to the Kibana console.
In the left-side navigation pane, click Management.
In the Security section, click Roles.

In the Roles section, click Create role.


Parameter	Description
Role name	The name of the role.
Cluster privileges	The operation permissions on the cluster, such as the permissions to view the health status and settings of the cluster and the permission to create snapshots. For more information, see Cluster privileges.
Run As privileges	The user who assumes the role. This parameter is optional. If you do not configure this parameter, you can assign the role to a user when you create the user. For more information, see Create a user.
Index privileges	The operation permissions on indexes. For example, if you want to grant the role the read-only permissions on all fields in all indexes, set the Indices parameter to an asterisk () and the Privileges parameter to read. You can set the Indices parameter to an asterisk or regular expression. For more information, see Indices privileges. When you configure the Index privileges parameter, you need to configure the following parameters: Indices: the index pattern, such as heartbeat-. Note If no index patterns are available, click Index Pattern in the Kibana section of the Management page and create an index pattern as prompted. Privileges: the permissions that you want to grant to the role. Granted fields (optional): The fields on which you want to grant permissions. This parameter is optional.
Kibana privileges	The operation permissions on Kibana. Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.

When you create a role, you must grant permissions to the role. In this example, the following permissions are granted:

Read-only permissions on a specific index
For more information, see Configure read-only permissions on indexes.
Permissions to view all or some dashboards
For more information, see Configure operation permissions on dashboards.
Read and write permissions on some indexes and read-only permissions on all clusters, such as the permissions to view the health statuses, snapshots, and settings of clusters, write data to indexes, or update index mappings
For more information, see Configure read and write permissions on indexes and read-only permissions on clusters.

Click Create role.

Create a user and assign the role to the user.

In the left-side navigation pane of the Kibana console, click Management.
In the Security section, click Users.

In the upper-right corner of the Users section, click Create new user.


Parameter	Description
Username	The username, which is used to log on to the Kibana console. You can customize a username.
Password	The password of the user, which is used to log on to the Kibana console. You can customize a password.
Confirm password	The value must be the same as that of the Password parameter.
Full name	The full name of the user, which can be customized.
Email address	The email address of the user.
Roles	The role that is assigned to the user. You can specify one or more roles. The roles can be built-in or custom roles. Notice If you specify a user when you create a role, you still need to configure this parameter. Otherwise, an error is reported when you use the user to log on to the Kibana console.

Click Create user.

Use the user to log on to the Kibana console and perform operations to check whether the user has the related permissions.

Configure read-only permissions on indexes

Scenario
Grant the read-only permissions on a specific index to a common user. In this case, the user can query data from the index in the Kibana console but cannot access clusters.

Role configuration Read-only permissions on a specific index

Table 1. Permissions
Permission type	Permission key	Permission value	Description
Index privileges	indices	kibana_sample_data_logs	The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices Privileges.
	privileges	read	The read-only permissions on the index. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
	Granted fields (optional)	*	The fields in the index. The value * indicates all fields.
Kibana privileges	privileges	read	The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.

Verification
Use the common user to log on to the Kibana console and run an index read command. The system returns results as expected. Then, run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.
```
GET /kibana_sample_data_logs/_search
```
```
POST /kibana_sample_data_logs/_doc/1
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}
```

Configure operation permissions on dashboards

Scenario
Grant the read-only permissions on a specific index and the permissions to view the dashboards for the index to a common user.
Role configuration
When you create a user, assign the read-index and kibana_dashboard_only_user roles to the user.
- read-index: a custom role. You must manually create a custom role. This role has read-only permissions on the specific index.
- kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for the index.
  Notice
  - In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you need only to configure the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
  - The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, in the Dashboard section on the page that appears, set the Dashboards only roles parameter to the custom role. The default value of this parameter is kibana_dashboard_only_user.
Verification
Use the common user to log on to the Kibana console and view the dashboards for the specific index.

Configure read and write permissions on indexes and read-only permissions on clusters

Scenario
Grant the read, write, and delete permissions on specific indexes and the read-only permissions on clusters and Kibana to a common user.

Role configuration Read and write permissions on indexes and read-only permissions on clusters

Table 2. Permissions
Permission type	Permission key	Permission value	Description
Cluster privileges	cluster	monitor	The read-only permissions on clusters, such as the permissions to view the running statuses, health statuses, hot threads, node information, and blocked tasks of clusters.
Index privileges	indices	heartbeat-,library	The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges.
	privileges	read	The read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
		create_index	The permission to create indexes. If you specify an alias when you create an index, you must grant the manage permission to the user. Notice The alias must meet the matching rules that are defined by the Indices parameter.
		view_index_metadata	The read-only permissions on index metadata. The permissions include the permissions to call the following APIs: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm.
		write	The permission to perform all write operations on documents. The operations include the operations that are performed by calling the index, update, delete, or bulk API and mapping updates. The write permission involves more operation permissions than the create and index permissions.
		monitor	The permission to monitor all operations. The operations include the operations that are performed by calling the index recovery, segments info, index stats, or status API.
		delete	The permission to delete documents.
		delete_index	The permission to delete indexes.
	granted fields	*	The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privileges	privileges	read	The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Notice Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. To assign a feature privilege, you must specify a Kibana space.

Verification
Use the common user to log on to the Kibana console and run the following commands. The system returns results as expected.
- View the details about indexes in a cluster
```
GET /_cat/indices?v
```
- View the status of a cluster
```
GET /_cluster/stats
```
- Query data in the product_info index
```
GET /product_info/_search
```
- Query data in the product_info1 index
```
GET /product_info1/_search
```
- Use a POST request to write data to the kibana_sample_data_logs index
```
POST /kibana_sample_data_logs/_doc/2
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}
```
- Use a PUT request to write data to the product_info2 index
```
PUT /product_info2/_doc/1
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}
```
- Delete the product_info index
```
DELETE product_info
```