Flights role:
{
"flights_rw" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_all"
],
"index_permissions" : [
{
"index_patterns" : [
"kibana_sample_data_flights*"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"indices_all"
]
}
],
"tenant_permissions" : [
{
"tenant_patterns" : [
"flights*"
],
"allowed_actions" : [
"kibana_all_read",
"kibana_all_write"
]
}
],
"static" : false
}
}
Logs role:
{
"logs_rw" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_all"
],
"index_permissions" : [
{
"index_patterns" : [
"kibana_sample_data_logs*"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"indices_all"
]
}
],
"tenant_permissions" : [
{
"tenant_patterns" : [
"logs*"
],
"allowed_actions" : [
"kibana_all_read",
"kibana_all_write"
]
}
],
"static" : false
}
}
flights_rw role mapping:
{
"flights_rw" : {
"hosts" : [ ],
"users" : [
"flights*"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [ ],
"and_backend_roles" : [ ]
}
}
logs_rw role mapping:
{
"logs_rw" : {
"hosts" : [ ],
"users" : [
"logs*"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [ ],
"and_backend_roles" : [ ]
}
}
And then I have users like flights_rw
, flights_ro
, logs_rw
, logs_ro
.
Logging in with flights_rw
user I see the Dashboard of the flights index and on Discover I can see the documents of flights and only them. That works fine.
Then, still as flights_rw
I go to DevTool and issue GET _cat/indices
, getting this:
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:monitor/settings/get] and User [name=flights_rw, backend_roles=[], requestedTenant=flights_space]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:monitor/settings/get] and User [name=flights_rw, backend_roles=[], requestedTenant=flights_space]"
},
"status" : 403
}
No matter what extra permission I give to flights_rw
role, I keep getting the security exception. So, in order to let him run that thing, I give him admin
backend role, running as an admin user:
PUT _opendistro/_security/api/internalusers/flights_rw
{
"backend_roles": ["admin"]
}
Of course, now flights_rw
user can run GET _cat/indices
and he gets as a result all kind of indices, including indices of flights, logs, security, etc.
Obviously I need to limit him, as having admin
access isn’t great. I want him to be able to issue GET _cat/indices
and get as a result only the flights-related indices.
With the same logic, I want flights_rw
user to also be able to access Security plugin. There I want him to be able to create a user for example. However, when logs_rw
logs in, I don’t want him to view the users created by flights_rw
and vice versa.
So, in conclusion I am trying to create a limited administrator role that will let user administer their part of the cluster only.