Search Guard and Elasticsearch version: 6.5.1 (SG, ES & K)
Installed and used enterprise modules, if any: None
JVM version and operating system version: openjdk 1.8
Search Guard configuration files: see end of message
Elasticsearch log messages on debug level: not an ES problem
Other installed Elasticsearch or Kibana plugins, if any: None
We’ve been using the Elastic stack to gather data on the usage of our applications by our clients.
We collect data and store it in ES in indices that contain the client’s UID: data_0 for client 0, data_1 for client 1 etc.
In Kibana, we have an index pattern data_* that allows us to create visualizations for these data.
Say we want to give access to dashboard / visualizations to our clients, but only for their own data.
We would also like to limit the per-client configuration as we have a lot of clients. (We don’t want to re-create 1 visualisation per client, or 1 tenant per client, we don’t want to have 1 index pattern per client etc.)
One way we can do it, is to create a user per client, add a field ‘client_id’ to this user and use it in the DLS query of a generic ‘client_user’ to filter only corresponding documents.
But the first thing we tried was to only allow some indices to each client (we sorted it by indices for that purpose, and it should be much more efficient than DLS), for example ‘data_1’ for the user of client 1. We expected the index pattern ‘data_*’ in Kibana to work but only retrieve data from ‘data_1’, but instead it says:
Discover: no permissions for [indices:data/read/search] and User [name=user_1, roles=[client_user], requestedTenant=null]
And the only way to fix this message is to give READ access to ‘data_*’, thus losing the data protection of indices that do not belong to the user’s client.
Is there a way to achieve this index-level filter while keeping the same index-patterns in Kibana for two different users?
Side note: I tried to attach the config files, but I can’t find them… We’re using the GUI to set our system, but the files aren’t written in /plugins/search-guard-6/sgconfig/sg_internal_users.yml, these files only contain static data, changes made in Kibana are not reflected there, and we cannot find where they’re written, system only has one directory called ‘sgconfig’ and it’s this one. We’re running the stack as a service. The SG data is persisted without any problem.