Kibana Read Only Dashboards

[anabella....@gmail.com]

Hi, I'm running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

1. Is it posiible to define read only dashboards in kibana?

2. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

 

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version

* Installed and used enterprise modules, if any

* JVM version and operating system version

* Search Guard configuration files

* Elasticsearch log messages on debug level

* Other installed Elasticsearch or Kibana plugins, if any

[Jochen Kressin]

Hi,

it is possible to define read-only dashboards, but this is implemented via the multi-tenancy feature as you indicsted. With multi-tenancy, you can define multiple tenants per role, and then assign read/write or read-only permissions to these tenants. 

Without multi-tenancy (Kibana default behavior), all saved objects end up in the same index without the possibility to separate them on a per-role basis or to assign permissions.

[anabella....@gmail.com]

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

1. Define a custom index

2. Define a tenant

3. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant

4. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i'm not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

[anabella....@gmail.com]

In order to create the tenant:

I go to roles, and add a tenant to that role. Once I'm loging with a user in this role I'm not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

[anabella....@gmail.com]

Hi, 

This is what I mean: 

1. Define the role with the asociated Tenants

GET /_searchguard/api/roles/sg_read_only

{"sg_read_only":{"cluster":["READ","SEARCH"],"tenants":{"T1":"RW","T2":"RO"},"indices":{"logstash-*":{"doc":["READ","SEARCH"]}}}}

2. Define a user with that role

GET /_searchguard/api/internalusers/kibanaro

{"kibanaro":{"password":"","roles":["sg_read_only"],"hash":"xxxxx"}} 

And no tenants other than global and private are visible (see attachment)

What I'm doing wrong?

Thank you

Regards

[Jochen Kressin]

This may be a stupid question, but have you updated the config via sgadmin after making the changes? If yes, can you post your role definition including the tenant here?

[anabella....@gmail.com]

Hi, I realize that  the role mapping was missing.

Thank you

Regards

Ana

[Jochen Kressin]

Yes, that's what I wanted to post as well ;) You can always use the /_searchguard/authinfo endpoint for checking the mapped roles of the currently logged in user. Quite useful when debugging. Let me know if you have more questions regarding your PoC.

[anabella....@gmail.com]

Thank you Jochen,

I was able to complete the initial scenario of the POC.

Regards

Ana

[tuse...@gmail.com]

Hi,

I am newer for SG. I want to confirm:

  1. whether multy tennancy is only for commercialize.

  2. whether below config also can  define read only dashboards

    

searchguard.readonly_mode.roles: ["sg_read_only_1", "sg_read_only_2", ...]

在 2018年8月21日星期二 UTC+8上午9:25:35，Jochen Kressin写道：

[Jochen Kressin]

Hi,

1. yes, this is a commercial feature

2. only partly. You can use the dashboard only feature to limit Kibana accessibility to dashboards (only) by setting the readonly_mode.roles as you described. However, this feature is implemented on Kibana only, so users would still be able to access the .kibana index by directly querying Elasticsearch.