We’ve been using a set of users/roles taken initially from the demo configuration and heavily modified; several users we’ve left unchanged, and now need to apply non-default passwords or remove them.
I think that only kibanaserver is necessary to keep (as used in kibana.yml) but are any other (docs aren’t explicit) needed for proper operation of Search Guard? Are kibanaro, readall and snapshotrestore required at all? I’m presuming that they are literally just to demonstrate different levels of access …
the users and roles in the demo configuration are literally just that, demo roles. None of them are strictly required for Search Guard to operate correctly. Which means you can replace all of them with your own if you like.
Depending on your use case you might want to keep:
admin, which is mapped to the sg_all_access role
kibanaserver, required for the internal Kibana user to perform health checks etc. This user is mapped to the sg_kibana_server role.
logstash, mapped to the sg_logstash role and used for data ingestion
Regarding the roles, you might want to keep:
sg_all_access, which grants full access to all indices
sg_kibana_server, which grants all permissions for the internal Kibana server user
sg_kibana_user, which grants permissions to access Kibana, but does not grant any permissions to access indices/data
sg_logstash, for creating and accessing the logstash indices
But as I said, you can also just set up your own set of users and roles. Just make sure you use use the correct user in your kibana and logstash configuration.