Multi-tenancy for different indices

blason · February 17, 2021, 2:40am

Hi Team,

I am feeling clueless and would really appreciate advice here. I am setting up firewall logs indices into elastic search for different customers.
lets say for customer one us-firewall-cust1-* other is ny-firewall-cust2-* third is uk-firewall-cust3.
I need a complete multi-tenancy here so that cust1 logging in with his creds should not even able to see any logs for ny-firewall-cust2 or access to any of the dashboard.

Neither he should come to know the tenants created in Kibana.

Can someone please guide me any documentation here, pls?

TIA
Blason R

mmamaenko · February 17, 2021, 4:11am

here you go: Kibana Multi-Tenancy - Open Distro for Elasticsearch Documentation

blason · February 17, 2021, 5:05am

Correct - I went through this config however wondering if GUI options are possible instead of fiddling with config.yml

mmamaenko · February 17, 2021, 5:56am

you may do the same using gui:

create tenant
Create internal user (if you are not using external authentication)
Switch to new tenant
Create index pattern us-firewall-cust1-* in new tenant.
Create role, assign index permissions: .kibana* - read, delete, index, manage ( to grant user kibana functions access), us-firewall-cust1-* - search ( to grant user access to own indices for search). You d not need to assign any cluster permissions. Assign tenant permissions to correspondent tenant created in step 1.
Add user to the role in Mapped Users tab
Login as user and switch to new created tenant (by default user is logged in his own private tenant). Go to Discover and see logs from us-firewall-cust1-* indexes

blason · February 18, 2021, 9:55am

Awesome man!! and much much appreciated. Let me try doing that.

Thanks again.

blason · February 19, 2021, 5:16am

Unfortunately this is I am getting. I followed the instructions.
Am i missing anything?

Application Not Found

No application was found at this URL. Try going back or choosing an app from the menu.

mmamaenko · February 19, 2021, 5:49am

at what step did you get this error? what version are you running?

blason · February 21, 2021, 3:45pm

Hi there,

Here are the steps I followed and then I get the error which I described below.
Take example here- My data is coming in dmi-*

I created user dmiuser internal user.
Created dmitenant Tenant

created role

With appropriate Tenant permission

Then mapped user

Pumped test data and see the data is generated in dmi-* index [ This is done with admin user]
I then created dmi-* index with admin user. [Do I need to create index with admin user or dmiuser?]

Now logged in with dmuser and opted for dmitenant

Now here do I need to create index again? because nothing is appearing here.

This is with dmiuser

And then this issue

Am I doing anything wrong? Please advise

TIA
Blason R

mmamaenko · February 21, 2021, 4:07pm

Try to use your admin account, switch to ‘dmitenant’ (as admin) and create index pattern. After that you will see it in dmitenant user. (If you followed my steps than your user only have rights to search your dmi* indexes)

blason · February 21, 2021, 4:32pm

I see so Indices has to be created using admin account by changing to dmitenant?

mmamaenko · February 21, 2021, 4:54pm

permissions I mentioned earlier does not allow to create indices. You may adjust them but I don’t know what permissions needs to be added. Indices, visualization, query, dashboards etc are made per tenant. If you do not want to grant too much permissions to users - do it by yourself as admin

blason · February 21, 2021, 5:15pm

Agree and that has resolved the issue!! Thanks for the help man.