How to restrict kibanauser role for index pattern deletion

shubhamblackstratus · September 10, 2020, 6:30am

Hi Team,

I am using latest version of opendistro elasticsearch. I have also setup a cluster successfully.

I have created custom roles for every indices access; which applied to individual users whom are required to access them. Find testing configs.

role.yml
read_index1:
index_permissions:

index_patterns:
- “index1”
  allowed_actions:
- “READ”
- “SEARCH”
- “GET”
- “SUGGEST”

roles_mapping YML:
read_index1:
reserved: true
backend_roles:

“read_index1”

kibana_user:
reserved: true
backend_roles:

“kibanauser”

Internal Users YML:
user1:
description: user1
hash: ****** hash******
backend_roles:

“kibanauser”
“read_index1”

Everything has been working fine but problem is that user1 can delete other index patterns also.

Let me know if I can restrict him.

Shubham

stmx38 · September 10, 2020, 8:21am

Hello @shubhamblackstratus,

You use kibana_user role to provides user access to the Kibana. Every index pattern probably is stored in the index like .kibana_-xxxxx where user, accordingly to the kibana_user have delete permissions:

Is there a way to use a different custom role for this with the required permissions or use a custom tenant with the defined index patterns where user will have only read-only permissions?

shubhamblackstratus · September 28, 2020, 4:55am

Is there a way to use a different custom role for this with the required permissions or use a custom tenant with the defined index patterns where user will have only read-only permissions?

I am seeking help here for this issue. ReadALL role can also help here but it will allow all index pattern access. This could be major problem as we are not allowed to use kibana permissions even though one of its role already used this.

stmx38 · October 4, 2020, 5:43am

@shubhamblackstratus, you can create a custom tenant and provide RO access to the user for it. In such a case user probably will not be able to delete any objects created in the specified tenant.

shubhamblackstratus · October 7, 2020, 6:10am

Hi,

Thanks for your help. I will require any user can create any visualisations and so dashboards but can not delete any index pattern and can not make any changes in advanced settings.

Can we create any role for this? I have not found any kibana permissions so asked here.

shubhamblackstratus · October 22, 2020, 6:39am

Hi All,

Do we have any feature in tenant, by using it I can restrict certain kibana features such as discover, alerting etc. and allowing anomaly etc.

boris.toninski · January 7, 2021, 1:16pm

Hi @shubhamblackstratus did you find a solution for this scenario, I need to restrict the access to the advanced setting.

shubhamblackstratus · January 15, 2021, 9:08am

Nop, Even I am also struggling with geoip field as maps does not get reflected with geohash even though geoip location field is present with correct format.