Questions on demo configurations for users, roles and permissions

#1

hi team,

i have serveral questions on the demo configuration:

  1. in the demo configurations, there is a logstash user in the internal_users.yml, there is a logstash role in the roles.yml, and there is backend role logstash to logstash role in the roles_mappings.yml. does OpenDistro for Elasticsearch Security come with logstash or just create those configurations for works with once logstash get installed ? if we use some other way such as graylog sidecar to collect the X beats logs, do we not need those configurations?

  2. in the roles.yml, for role kibana_user has following index permissions been defined:

           kibana_user:
           ...
           indices:
               '*':
                   '*':
                       ...
                       - indices:data/read/xpack/rollup*
                       ...

and for role kibana_server has following cluster permissions been defined:

       kibana_server:
             ...
             cluster:
                    ...
                    - cluster:admin/xpack/monitoring*
                    ...

what do those permissions work for ?

  1. for roles kibana_user and kibana_server in the roles.yml, there are INDEX_ALL permssions especially for indices: ‘?kibana’, ‘?kibana-6’, ‘?kibana_’, and '?management-beats’. do we need both “?kibana” and “?kibana-6” for kibana configuration index ? and again, if we don’t run logstash for beats, can we remove this index permissions from the two kibana related roles?

  2. as we noted that the opendistro_security.roles_mapping_resolution is default to MAPPING_ONLY. but in the roles_mapping.yml, there are roles mapping like:

     all_access:
          readonly: true
          backendroles:
              - admin

      kibana_user:
          backendroles:
              - kibanauser

     manage_snapshots:
         readonly: true
         backendroles:
             - snapshotrestore

but the backend roles admin, kibanauser, snapshotrestore have not been defined in the roles.yml. and similar things happen to internal_users.yml. do those mapping is not used for internal user database as the backend?

  1. as we have noted that in the demo elasticsearch.yml configuration, there is a configuration parameter:
      opendistro_security.allow_default_init_securityindex

but it seems there is another configuration parameter:

     opendistro_security.allow_default_init_opendistrosecurityindex

what are their differences ?

thanks.

charles

#2

this forum is quite silent. anyway, i have found there is always role mapping for internal users and the configuration sample on github is wrongly using opendistro_security.allow_default_init_opendistrosecurityindex which should be opendistro_security.allow_default_init_securityindex.