Questions on demo configurations for users, roles and permissions

cdeng · April 26, 2019, 4:49am

hi team,

i have serveral questions on the demo configuration:

in the demo configurations, there is a logstash user in the internal_users.yml, there is a logstash role in the roles.yml, and there is backend role logstash to logstash role in the roles_mappings.yml. does OpenDistro for Elasticsearch Security come with logstash or just create those configurations for works with once logstash get installed ? if we use some other way such as graylog sidecar to collect the X beats logs, do we not need those configurations?
in the roles.yml, for role kibana_user has following index permissions been defined:

           kibana_user:
           ...
           indices:
               '*':
                   '*':
                       ...
                       - indices:data/read/xpack/rollup*
                       ...

and for role kibana_server has following cluster permissions been defined:

       kibana_server:
             ...
             cluster:
                    ...
                    - cluster:admin/xpack/monitoring*
                    ...

what do those permissions work for ？

for roles kibana_user and kibana_server in the roles.yml, there are INDEX_ALL permssions especially for indices: ‘?kibana’, ‘?kibana-6’, ‘?kibana_', and '?management-beats’. do we need both “?kibana” and “?kibana-6” for kibana configuration index ? and again, if we don’t run logstash for beats, can we remove this index permissions from the two kibana related roles?
as we noted that the opendistro_security.roles_mapping_resolution is default to MAPPING_ONLY. but in the roles_mapping.yml, there are roles mapping like:

     all_access:
          readonly: true
          backendroles:
              - admin

      kibana_user:
          backendroles:
              - kibanauser

     manage_snapshots:
         readonly: true
         backendroles:
             - snapshotrestore

but the backend roles admin, kibanauser, snapshotrestore have not been defined in the roles.yml. and similar things happen to internal_users.yml. do those mapping is not used for internal user database as the backend?

as we have noted that in the demo elasticsearch.yml configuration, there is a configuration parameter:

      opendistro_security.allow_default_init_securityindex

but it seems there is another configuration parameter:

     opendistro_security.allow_default_init_opendistrosecurityindex

what are their differences ?

thanks.

charles

cdeng · May 16, 2019, 3:38am

this forum is quite silent. anyway, i have found there is always role mapping for internal users and the configuration sample on github is wrongly using opendistro_security.allow_default_init_opendistrosecurityindex which should be opendistro_security.allow_default_init_securityindex.

Topic		Replies	Views
Why I don't find logstash in roles.yml? OpenSearch troubleshoot , configure	4	419	December 29, 2023
Setup permissions for AD user Security	1	410	February 22, 2021
Read Only Accounts Security configure	5	363	February 14, 2024
Mapping new user to kibana_server Security	6	981	October 6, 2024
Kibana usage on user and roles Open Source Elasticsearch and Kibana discuss , configure	1	299	February 7, 2023

Questions on demo configurations for users, roles and permissions

Related topics