I am using kibana security plugin 1.9.0 and have enabled multitenancy. I have created an user from kibana UI, when logging in via this user I am not able to see global tenant.
Do I need to provide any specific role or any permission to able to access global tenant?
Please suggest.
Thanks
Do you mean that it is greyed out when you try to switch tenant?
Could you please share your kibana.yml config file?
I mean when i am logging via the user created via UI, I am not even able to see global tenant in the tenants tab. PFB the screenshot for reference.
Only these two parameters are configured in kibana.yml w.r.t multitenancy.
opendistro_security.multitenancy.enabled: true
elasticsearch.requestHeadersWhitelist: [ “Authorization”, “securitytenant”, “x-forwarded-for”, “x-proxy-user”, “x-proxy-roles” ]
Thanks
@Pratiksha can you try to add backend role to the user in question and see if that solves your issue? (Remember to run securityadmin.sh tool if you are changing any config.yml files instead of kibana UI)
internal_users.yml
testuser1:
hash: "$2y$12$j..."
backend_roles:
- kibanauser
Hi @Anthony
Yes, Global tenant became accessible to the user after adding kibanauser role. Can you please tell what tenant permission does this “kibanauser” role give to global tenant (kibana_all_read or kibana_all_write) as I did not find any global_tenant permission given to this role as seen below:
kibana_user:
reserved: true
hidden: false
static: true
description: “Provide the minimum permissions for a kibana user”
cluster_permissions:
- “cluster_composite_ops”
index_permissions:
- index_patterns:
- “.kibana”
- “.kibana-6”
- “.kibana_"
allowed_actions:
- “read”
- “delete”
- “manage”
- “index”
- index_patterns:
- “.tasks”
- “.management-beats”
- ":.tasks”
- “*:.management-beats”
allowed_actions:
- “indices_all”
This description is taken from security/static_roles.yml at opendistro-1.9 · opendistro-for-elasticsearch/security · GitHub
Thanks
@Pratiksha You are correct, there are no exclusive tenant permissions provided by these role, this can also be viewed in the security tab, under roles section (option “Show JSON”).
The index permissions however give read and write access the global .kibana indices where kibana objects are stored under global tenant.
Hope this helps
@Anthony yes, kibana_user provides read and write access to .kibana index but to access global tenant we require permission to global_tenant as well. As when I create a custom role giving it permission to .kibana index, with this role I am not able to access global_tenant. Then, How is it working with kibana_user role which does not have permission for global_tenant defined?
@Pratiksha are you using OSS version of elasticsearch, if not ES spaces might be causing issues. Can you disable it with below line in kibana.yml?
xpack.spaces.enabled: false