I’m not 100% familiar with the Sentinl internals, but … it is usually not the Kibana server user that issues queries. That would make it impossible to implement RBAC for the logged in users. The Kibana server user is mainly used for maintenance, e.g. the infamous health checks from Kibana to Elasticsearch. That’s why a Kibana user typically needs to sets of permissions: One for managing the .kibana index (reading and writing saved objects like Visualizations), and then permissions for the indices the user is allowed to operate on. But having said that - it’s really up to the plugin developer to use either the internal Kibana server user, or the logged in user.
So why does this use case not work:
“But letting the scheduler and watcher management run on the Kibana side as the sg_kibana_server creates issues in terms of trying to restrict read access to the different indices by different users.”
Is it that a user can create watches on an index he/she does not have access to? Or is it the READ access for the indices? If Sentinl uses the Kibana server user to write and execute watches, then why would restricting index access for users fail? But as you see - we would need to understand more of the Sentinl inner workings, so you may have a better chance on the Sentinl forum I guess.
On Thursday, June 28, 2018 at 3:10:38 PM UTC+2, Håvard Langdal wrote:
Apologize if this is the wrong forum to ask, but I’m confident that this may apply to others as well.
This topic involves questions around the watcher plugin Sentinl.
- Search Guard and Elasticsearch version
I assume that when the user is not logged in, or in general it’s the sg_kibana_server user that queries for each respective user?
Is there are any alternatives to letting sg_kibana_server access all indices that Sentinl is to create alerts for ?
Our use case is to let end users create watchers on indices which they have access too. But letting the scheduler and watcher management run on the Kibana side as the sg_kibana_server creates issues in terms of trying to restrict read access to the different indices by different users. (given that sg_kibana_server does all the work for them) (sg_kibana_server is a highway to all the data (?))
A thought was to let the Sentinl scheduler run as a backend where it’s given the same required permissions, but it’s restricted by hostname.