Lock out users from Kibana Management?

I’m looking for a set of permissions that’s looser than using opendistro_security.readonly_mode.roles, but will prevent users from changing things under Stack Management. I haven’t figured out a way to keep people from changing the global settings like the Index Patterns or the timezone for date formatting.

Ideally they’d only be able to use Discover, Dashboard, and Visualize under the Kibana app. Using the readonly_mode only allows access to Dashboard, which means users can’t (edit: forgot the 't) see the actual loglines as they are coming in to the system.
I’d settle for something that just allows access to Discover, or a Dashboard that can show all of the fields parsed from a logline.

@reshippie can you please elaborate on the requirement.

“which means users can see the actual loglines as they are coming in to the system.” You want the users to be able to see these via discovery view or not?

Because readonly_mode doesn’t show that, if I understand you correctly?

Correct, readonly_mode only allows access to Dashboards and I haven’t figured out a way to get a dashboard to display the full logline. Data Table sounded like the most likely option, but it only allows me to display metrics about the data, not the data itself.

@reshippie
It sounds like you are just looking for normal user that just has access to read data and kibana objects.

It should be as simple as mapping user to kibana_user role and additional role below:

Unfortunately, when I tested the kibana_user role it allowed a user to add and remove index patterns as well as make changes on the Advanced Settings page.

I tried creating a new role with the same permissions as kibana_user but that managed to block access to the Discover and Dashboard pages as well as the Stack Management page. The error that I was getting from Kibana was:

{“type”:“log”,"@timestamp":“2021-06-28T18:21:03Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:15917,“message”:"[security_exception]: no permissions for [indices:data/read/get] and User [name=test, backend_roles=[kibana], requestedTenant=null]"}

‘kibana’ being an LDAP group that I have mapped to the OpenDistro Security roles.
I’m not sure which index it’s complaining about. kibana_user grants permissions to several .kibana indices along with .tasks and .management and the other role I created has read and search on * indices.
I’m using opendistroforelasticsearch-kibana 1.13.2.

@reshippie
You are able to save searches from discovery and add these to dashboard, which can then be accessed by role mapped to kibana_read_only (additional role would need to be mapped giving access to right indices and tenants)

This way user only has access to dashboards, but the loglines are displayed also. Hope this helps