Doubts about sg_roles.yml

Hi friends;

I´m beggining work whit elasticSearch, and I have some doubts with the configuration of file sg_roles.yml and permisssions in general:

I need provide access at diferents peoples, por example I have set any user than can access to indeces.

With this role y can have access from kibana a her logs.

The user can:

  • create indeces

  • create visualizations

  • read her logs.

and I only need than

The the user can´t;

  • remove indices

  • create indeces

  • Set advance settings

sg_own_index:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
- indices:admin/aliases*
- indices:data/write/reindex
- indices:data/write/bulk

indices:
‘logger-${user_name}’:
'
’:
- indices:data/write/bulk
- READ
‘?kibana’:
'’:
- indices:data/write/index
- indices:data/write/update

- indices:admin/mapping/put
- READ
‘?kibana-6’:
'’:
- indices:data/write/index
- indices:data/write/update

- indices:admin/mapping/put
- READ
’:
'
’:
- indices:data/read/field_caps*

I have other question, what is the meaning of ‘?kibana’ or ‘kibana6’ .?

I can´t some guide of how can set the role?

for example I need to know what it does this line - indices:data/write/index

Regards, and thanks

When asking questions, please provide the following information:

  • Docker stack

  • Search Guard and Elasticsearch version 6.3.0

I think you are confusing Elasticsearch indices with Kibana index-patterns and other Kibana functionality.

Index patterns, visualizations, dashboards etc. are stored in one Kibana index, called “.kibana” or, when migrating from 5 -> 6, “.kibana6”. Any Kibana user needs to be able to read/write this index. Since all of the Kibana objects are stored in this one index, there is no way (as of now) to control which of these objects a user can access. In other words, it’s not possible to control access on the Kibana saved objects level. The advanced settings is also a Kibana feature which cannot be controlled on ES/SG level.

···

On Monday, September 24, 2018 at 1:28:15 PM UTC+2, satdanielglez@gmail.com wrote:

Hi friends;

I´m beggining work whit elasticSearch, and I have some doubts with the configuration of file sg_roles.yml and permisssions in general:

I need provide access at diferents peoples, por example I have set any user than can access to indeces.

With this role y can have access from kibana a her logs.

The user can:

  • create indeces
  • create visualizations
  • read her logs.

and I only need than

The the user can´t;

  • remove indices
  • create indeces
  • Set advance settings

sg_own_index:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
- indices:admin/aliases*
- indices:data/write/reindex
- indices:data/write/bulk

indices:
‘logger-${user_name}’:
'
’:
- indices:data/write/bulk
- READ
‘?kibana’:
'’:
- indices:data/write/index
- indices:data/write/update

- indices:admin/mapping/put
- READ
‘?kibana-6’:
'’:
- indices:data/write/index
- indices:data/write/update

- indices:admin/mapping/put
- READ
’:
'
’:
- indices:data/read/field_caps*

I have other question, what is the meaning of ‘?kibana’ or ‘kibana6’ .?

I can´t some guide of how can set the role?

for example I need to know what it does this line - indices:data/write/index

Regards, and thanks

When asking questions, please provide the following information:

  • Docker stack
  • Search Guard and Elasticsearch version 6.3.0