Lock out users from Kibana Management?

I’m looking for a set of permissions that’s looser than using opendistro_security.readonly_mode.roles, but will prevent users from changing things under Stack Management. I haven’t figured out a way to keep people from changing the global settings like the Index Patterns or the timezone for date formatting.

Ideally they’d only be able to use Discover, Dashboard, and Visualize under the Kibana app. Using the readonly_mode only allows access to Dashboard, which means users can’t (edit: forgot the 't) see the actual loglines as they are coming in to the system.
I’d settle for something that just allows access to Discover, or a Dashboard that can show all of the fields parsed from a logline.

@reshippie can you please elaborate on the requirement.

“which means users can see the actual loglines as they are coming in to the system.” You want the users to be able to see these via discovery view or not?

Because readonly_mode doesn’t show that, if I understand you correctly?

Correct, readonly_mode only allows access to Dashboards and I haven’t figured out a way to get a dashboard to display the full logline. Data Table sounded like the most likely option, but it only allows me to display metrics about the data, not the data itself.

It sounds like you are just looking for normal user that just has access to read data and kibana objects.

It should be as simple as mapping user to kibana_user role and additional role below:

Unfortunately, when I tested the kibana_user role it allowed a user to add and remove index patterns as well as make changes on the Advanced Settings page.

I tried creating a new role with the same permissions as kibana_user but that managed to block access to the Discover and Dashboard pages as well as the Stack Management page. The error that I was getting from Kibana was:

{“type”:“log”,“@timestamp”:“2021-06-28T18:21:03Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:15917,“message”:“[security_exception]: no permissions for [indices:data/read/get] and User [name=test, backend_roles=[kibana], requestedTenant=null]”}

‘kibana’ being an LDAP group that I have mapped to the OpenDistro Security roles.
I’m not sure which index it’s complaining about. kibana_user grants permissions to several .kibana indices along with .tasks and .management and the other role I created has read and search on * indices.
I’m using opendistroforelasticsearch-kibana 1.13.2.

You are able to save searches from discovery and add these to dashboard, which can then be accessed by role mapped to kibana_read_only (additional role would need to be mapped giving access to right indices and tenants)

This way user only has access to dashboards, but the loglines are displayed also. Hope this helps

@reshippie Could you please give me what you have done to solve this issue? I 'm facing the same problem. I have backend role in oidc token, in my case case “kibana_restricted” and I mapped to a role which has the same permission like “kibana_user”. I get this error:

{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=demo.demo, backend_roles=[ kibana_restricted], requestedTenant=null]: security_exception"}

I can not see an Discover or Dashboard page. which permissions did you granted?
thanks in advance

@amirkh81 In the role, which has the same permission like “ kibana_user ”, can you try to add tenant permission for global tenant (and/or any other tenant you are using). This should get rid of the error you are seeing.

This permission seems to be hardcoded to role kibana_user and needs to be added manually.

1 Like

Oh you saved my day. thanks @reshippie

I’m facing the same issue, but I cannot make it work.
Does some one has an example of a working role where users are able to read/save queries in dashboard but not change advanced settings?
seems they also renamed some indices in the meanwhile, because i see some .kibana_admin but no .tasks or .management. should not be that complicated