How to restrict kibanauser role for index pattern deletion

Security
1

Hi Team,

I am using latest version of opendistro elasticsearch. I have also setup a cluster successfully.

I have created custom roles for every indices access; which applied to individual users whom are required to access them. Find testing configs.

role.yml
read_index1:
index_permissions:

  • index_patterns:
    • index1
      allowed_actions:
    • “READ”
    • “SEARCH”
    • “GET”
    • “SUGGEST”

roles_mapping YML:
read_index1:
reserved: true
backend_roles:

  • “read_index1”

kibana_user:
reserved: true
backend_roles:

  • “kibanauser”

Internal Users YML:
user1:
description: user1
hash: ****** hash******
backend_roles:

  • “kibanauser”
  • “read_index1”

Everything has been working fine but problem is that user1 can delete other index patterns also.

Let me know if I can restrict him.

Shubham

1 Like
2

Hello @shubhamblackstratus,

You use kibana_user role to provides user access to the Kibana. Every index pattern probably is stored in the index like .kibana_-xxxxx where user, accordingly to the kibana_user have delete permissions:

Screenshot 2020-09-10 at 11.16.37
Screenshot 2020-09-10 at 11.16.371826×1650 203 KB

Is there a way to use a different custom role for this with the required permissions or use a custom tenant with the defined index patterns where user will have only read-only permissions?

3

Is there a way to use a different custom role for this with the required permissions or use a custom tenant with the defined index patterns where user will have only read-only permissions?

I am seeking help here for this issue. ReadALL role can also help here but it will allow all index pattern access. This could be major problem as we are not allowed to use kibana permissions even though one of its role already used this.

4

@shubhamblackstratus, you can create a custom tenant and provide RO access to the user for it. In such a case user probably will not be able to delete any objects created in the specified tenant.

5

Hi,

Thanks for your help. I will require any user can create any visualisations and so dashboards but can not delete any index pattern and can not make any changes in advanced settings.

Can we create any role for this? I have not found any kibana permissions so asked here.

1 Like
6

Hi All,

Do we have any feature in tenant, by using it I can restrict certain kibana features such as discover, alerting etc. and allowing anomaly etc.

7

Hi @shubhamblackstratus did you find a solution for this scenario, I need to restrict the access to the advanced setting.

8

Nop, Even I am also struggling with geoip field as maps does not get reflected with geohash even though geoip location field is present with correct format.

9

any news about this :smiley: