I have log messages flowing in from a Kubernetes cluster being directed to different Elasticsearch indexes based on namespace. So, messages from the namepace “buzz” are written to indexes with names of the pattern kubernetes_cluster-buzz-2020-07-12 and those from the namespace “gus” are written to indexes fitting the pattern kubernetes_cluster-gus-2020-07-12. I have created various dashboards that work for log messages from either (or both) namespaces. I defined them based on an index pattern of kubernetes_cluster-*. The dashboards show messages from both namespaces and properly subset the data if I apply a filter for namespace.
Now, I want to create users and limit their access to the messages from their respective namespaces. I thought I could do that by creating a role for each namespace, gus_role and buzz_role, and associating an index pattern to each that only grants them access to a single namespace. So, I defined the gus_role with an index pattern of kubernetes_cluster-gus- * and the buzz_role with an index pattern of kubernetes_cluster-buzz-*. In both cases, I granted “read” and “search” permissions in addition to adding the index pattern.
My expectation is/was that when a user assigned either role brought up the dashboards I created, they would only see the log messages from their namespace. My thinking was that since the role’s index pattern is a more narrow instance (a subset) of the index pattern used when creating the dashboard, Elasticsearch security would, in effect, subset the data before populating the dashboard for the user.
Unfortunately, that isn’t happening. When users assigned to either of those roles attempt to access the dashboard, error message appear indicating they don’t have the right permission (full message shown below).
Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=buzz, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:data/read/search] and User [name=buzz, backend_roles=[], requestedTenant=null]"},"status":403}
Am I mistaken about how this should work? Is there a way to define the dashboards (and other visualizations) with a “broader” pattern and have the Elasticsearch data security model handle the “subsetting”? I could duplicate the dashboards for every namespace but that seems wasteful.
Thanks!