BUG Opendistro(1.8) kibana_read_only role not working in elastic 7.7

Hi,

BUG Opendistro(1.8) kibana_read_only role not working in elastic 7.7???

when I am using the role kibana_read_only, the tenant tab is invisible, in addition to the absence of research data, dashboard and index …

pj:


Thanks.

1 Like

I have never faced with this issue previous relases, ex. kibana:7.6.1

I tried with opendistro 1.8.0 and 1.9.0 but still doesn’t work (at least not how it worked in 0.9.0). Did anyone find a fix for this? Thanks!

The same in version 1.9.0.

Any news on this?

Thanks!

In ODFE 1.7.0, I got this working doing the following:

  • I assigned my user the backend role of “KibanaReadOnlyUsers” (which does not exist)
  • I then played with the roles mappings:
  • Created role-mapping between “KibanaReadOnlyUsers” and “kibana_read_only
    • I see what you show in the screenshot; able to log into Kibana but only the DASHBOARD icon is displayed in the left-hand menu and no dashboards are listed in the right-hand panel.
  • Added role-mapping between “KibanaReadOnlyUsers” and “kibana_user
    • After logging in, Dashboard icon is the only one listed in the left hand menu (as-above), but my dashboards are listed in the right-hand panel. When I select a dashboard, it comes up but with no data displayed and errrors are displayed complaining about a security exception.
  • Created a new role “cluster_and_index_access” with the following:
    • Cluster Permissions: cluster_composite_ops_ro
    • Index Permissions:
      • Index pattern: “myIndex-*”
      • Permissions: Action Groups: “search”
  • Added a role-mapping between the new role “cluster_and_index_access” and the backend role “KibanaReadOnlyUsers
    • When I log in now, I see my dashboards and when I bring up my dashboard, I see my data. Success!

It may be possible to combine some of those steps and/or directly assign some of the roles to the user.

Hi @turinng Did you get the read_only role working using above method?

Hi Anthony,
I tried the steps provided by GSmith and I was able to get a guest login which only sees dashboards. Although guest cannot create a new visualization, they can make changes to the existing dashboards by resize the charts on dashboard/save the dashboard as new name/clone …

How do we restrict this behavior?

@VK1 Which version of ODFE are you using? I tested with 1.13.2 and was able to restrict this by mapping the user to “kibana_read_only” and to a role that has the below configuration:

test:
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - 'read'
  tenant_permissions:
    - tenant_patterns:
      - '*'
      allowed_actions:
        - 'kibana_all_read'

Hope this helps