I followed your steps to configure kibana dashboard only user support for kibana_dashboard_only_user but I am not able to login. I am getting “No application was found at this URL. Try going back or choosing an app from the menu.”
No matter what I set as default Route I am being forwarded to “https://kibana.com/basePath/app/kibana#/dashboards” and getting “Application Not Found” Error. If I rewrite the URL to “https://kibana.com/basePath/app/dashboards#” I land to dashboard space of “kiosek” tenant and everything works as expected. Looks like the only impacted user with this is dashboard only user “do” in this case.
The permissions that were defined are only for 1 tenant (kiosek). Therefore only user that has access to this tenant will be able to see the dashboards.
DefaultRoute can be left at default of /app/home.
When the user logs in, he/she would need to select the relevant tenant and then click on dashboards and any dashboards in that tenant should be visible. If the user has no read access to the tenant the “Application Not Found” label will be visible.
Is this not the behaviour you are seeing? If not, can you share the full kibana.yml and is there a reason for using base_path?
Yes that’s what I am seeing but I don’t want this user to choose the tenant, instead I want “do” user to be automatically directed to tenant “kiosek”, because he has permissions to see only this tenant. I posted the setup for the user, can you see the issue ?
I am using basePath because that’s how we access kibana via apache reverse proxy.
No “do” user does not have access to “tenant1” or “tenant2” but it makes no difference if it has. I’ve tried to make “do” user with unlimited cluster + index access + all tenants and its still the same. The user is stuck at “Application not found” banner after login, so it can’t select anything.
But my case scenario is I don’t want this user to have access to another tenants and dashboards. Why when I literally just change the URL path:
the user “do” is redirected to “kiosek” tenant, able to see only kiosek tenant and has dashboard only rights, everything works. Seems to me the problem is elsewhere then in roles and users.
@peter82 I’m not able to reproduce the behaviour, in my case the user is assigned the first tenant in “searchguard.multitenancy.tenants.preferred” that he/she has access to.
They are directed to http://localhost:5601/app/home#/, and after selecting dashboards, directed to /app/dashboards#/list?_g=…
Also, if the user has no access to any other tenant, the multitenacy tab is not available, as there is no other option for the user anyway.
What tenant is automatically selected in multitenacy tab when you log in as user “do”?
if I disable read only mode in kibana.yml and restart kibana, then user “do” is able to login and see only kiosek tenant which is being automatically assigned to him but of course then he can see all parts of kibana Discover/devtools etc.
I was able to fix the login error by disabling spaces, apparently it conflicts with searchguard implementation of multitenacy. @sirHusky this settings is deprecated in 7 and won’t be available in els 8, just saying
xpack.spaces.enabled: false
Readonly mode works as expected now. Thanks a lot for help.