Kibanauser role

Hello everyone,

It is a pleasure to be here with you. I am new using Open Distro (1.2) and have some doubts that I can’t solve by myself.

My intention is to make the user in charge of the Kibana service (by default this user is kibanaserver) has more privileges than kibanaserver has.

To do this create a role similar to kibanaserver with the new permissions added and also give it the role of kibanauser.

This is where doubts arise because the role of kibanauser is declared as kibana_user.

Image 1. kibana_user role

curl -XGET "https://localhost:9200/_opendistro/_security/api/roles?pretty" -u admin:admin --insecure -k | sort | grep -i kibana
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 14868  100 14868    0     0  52734      0 --:--:-- --:--:-- --:--:-- 52911
    "description" : "Provide the minimum permissions for a kibana user",
    "description" : "Provide the minimum permissions for the Kibana server",
          ".kibana_*"
          ".kibana_*"
          ".kibana_*"
          ".kibana_*"
          ".kibana"
          ".kibana"
          ".kibana"
          ".kibana",
          ".kibana-6"
          ".kibana-6"
          ".kibana-6"
          ".kibana-6",
          "kibana_all_write"
  "kibana_read_only" : {
  "kibana_server" : {
  "kibana_user" : {

Adding the role to my user as follows:

Image 2. Inoperative user

It causes the following error when starting Kibana:

{"type":"log","@timestamp":"2019-10-16T10:52:16Z","tags":["fatal","root"],"pid":3676,"message":"{ [security_exception] no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null] :: {\"path\":\"/.kibana\",\"query\":{},\"statusCode\":403,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\\\"},\\\"status\\\":403}\"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:315:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:274:7)\n at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)\n status: 403,\n displayName: 'AuthorizationException',\n message:\n '[security_exception] no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]',\n path: '/.kibana',\n query: {},\n body:\n { error:\n { root_cause: [Array],\n type: 'security_exception',\n reason:\n 'no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]' },\n status: 403 },\n statusCode: 403,\n response:\n '{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\"}],\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:admin/get] and User [name=sito_test_kibana, roles=[test_kibana, kibana_user], requestedTenant=null]\"},\"status\":403}',\n toString: [Function],\n toJSON: [Function] }"}

On the other hand, if I add the role as follows:

Image 3. Effective user

Kibana works perfectly.

So the question is, why should I add the role as kibanauser instead of kibana_user? How do I know what kibanauser has?

As I am new I can only put one image, forgive me for having to do this fusion of images, but I think it helps to explain me better.

Thank you very much in advance,

Alfonso.