We do not ship a kibana_own_index role, where did you see it? We do ship a role called sg_own_index. This is to demonstrate variable substitution in index names. Here we use the username of the currently logged in user as index name:
The private tenant is a special case in regards that you do not have to specify it in any role. Every Kibana user has access to this tenant, unless it is disabled. So we have two default tenants, global and private, and then an arbitrary number of tenants per role.
Yes, the the Kibana index name in the sg_kibana_user role must match the Kibana index name in kibana.yml and sg_config. Unless you are working with aliases. Aliases are resolved by Search Guard automatically.
On Friday, August 3, 2018 at 5:11:15 PM UTC+2, Fabien Wernli wrote:
I see. This raises two more questions:
- What about the kibana_own_index role, what’s its purpose? Is the Private tenant a special case?
- In the sg_kibana_user role, must the “indices: ‘?kibana’” value match the kibana.yml and sg_config setting for the kibana index?