Kibana Read Only Dashboards

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?

  2. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

it is possible to define read-only dashboards, but this is implemented via the multi-tenancy feature as you indicsted. With multi-tenancy, you can define multiple tenants per role, and then assign read/write or read-only permissions to these tenants.

Without multi-tenancy (Kibana default behavior), all saved objects end up in the same index without the possibility to separate them on a per-role basis or to assign permissions.

···

On Monday, August 20, 2018 at 3:19:15 AM UTC-5, anabella.cristaldi@gmail.com wrote:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

···

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

···

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

This is what I mean:

  1. Define the role with the asociated Tenants

GET /_searchguard/api/roles/sg_read_only

{“sg_read_only”:{“cluster”:[“READ”,“SEARCH”],“tenants”:{“T1”:“RW”,“T2”:“RO”},“indices”:{“logstash-*”:{“doc”:[“READ”,“SEARCH”]}}}}

  1. Define a user with that role

GET /_searchguard/api/internalusers/kibanaro

{“kibanaro”:{“password”:"",“roles”:[“sg_read_only”],“hash”:“xxxxx”}}

And no tenants other than global and private are visible (see attachment)

What I’m doing wrong?

Thank you

Regards

Ana

···

El martes, 21 de agosto de 2018, 14:38:48 (UTC+2), anabella....@gmail.com escribió:

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

This may be a stupid question, but have you updated the config via sgadmin after making the changes? If yes, can you post your role definition including the tenant here?

···

On Tuesday, August 21, 2018 at 7:38:48 AM UTC-5, anabella.cristaldi@gmail.com wrote:

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi, I realize that the role mapping was missing.

Thank you

Regards

Ana

···

El martes, 21 de agosto de 2018, 15:11:28 (UTC+2), anabella....@gmail.com escribió:

Hi,

This is what I mean:

  1. Define the role with the asociated Tenants

GET /_searchguard/api/roles/sg_read_only

{“sg_read_only”:{“cluster”:[“READ”,“SEARCH”],“tenants”:{“T1”:“RW”,“T2”:“RO”},“indices”:{“logstash-*”:{“doc”:[“READ”,“SEARCH”]}}}}

  1. Define a user with that role

GET /_searchguard/api/internalusers/kibanaro

{“kibanaro”:{“password”:"",“roles”:[“sg_read_only”],“hash”:“xxxxx”}}

And no tenants other than global and private are visible (see attachment)

What I’m doing wrong?

Thank you

Regards

Ana

El martes, 21 de agosto de 2018, 14:38:48 (UTC+2), anabella....@gmail.com escribió:

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Yes, that’s what I wanted to post as well :wink: You can always use the /_searchguard/authinfo endpoint for checking the mapped roles of the currently logged in user. Quite useful when debugging. Let me know if you have more questions regarding your PoC.

···

On Tuesday, August 21, 2018 at 8:15:11 AM UTC-5, anabella.cristaldi@gmail.com wrote:

Hi, I realize that the role mapping was missing.

Thank you

Regards

Ana

El martes, 21 de agosto de 2018, 15:11:28 (UTC+2), anabella....@gmail.com escribió:

Hi,

This is what I mean:

  1. Define the role with the asociated Tenants

GET /_searchguard/api/roles/sg_read_only

{“sg_read_only”:{“cluster”:[“READ”,“SEARCH”],“tenants”:{“T1”:“RW”,“T2”:“RO”},“indices”:{“logstash-*”:{“doc”:[“READ”,“SEARCH”]}}}}

  1. Define a user with that role

GET /_searchguard/api/internalusers/kibanaro

{“kibanaro”:{“password”:"",“roles”:[“sg_read_only”],“hash”:“xxxxx”}}

And no tenants other than global and private are visible (see attachment)

What I’m doing wrong?

Thank you

Regards

Ana

El martes, 21 de agosto de 2018, 14:38:48 (UTC+2), anabella....@gmail.com escribió:

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Thank you Jochen,
I was able to complete the initial scenario of the POC.

Regards

Ana

···

El martes, 21 de agosto de 2018, 15:17:30 (UTC+2), Jochen Kressin escribió:

Hi, I realize that the role mapping was missing.

Thank you

Regards

Ana

El martes, 21 de agosto de 2018, 15:11:28 (UTC+2), anabella....@gmail.com escribió:

Hi,

This is what I mean:

  1. Define the role with the asociated Tenants

GET /_searchguard/api/roles/sg_read_only

{“sg_read_only”:{“cluster”:[“READ”,“SEARCH”],“tenants”:{“T1”:“RW”,“T2”:“RO”},“indices”:{“logstash-*”:{“doc”:[“READ”,“SEARCH”]}}}}

  1. Define a user with that role

GET /_searchguard/api/internalusers/kibanaro

{“kibanaro”:{“password”:"",“roles”:[“sg_read_only”],“hash”:“xxxxx”}}

And no tenants other than global and private are visible (see attachment)

What I’m doing wrong?

Thank you

Regards

Ana

El martes, 21 de agosto de 2018, 14:38:48 (UTC+2), anabella....@gmail.com escribió:

In order to create the tenant:
I go to roles, and add a tenant to that role. Once I’m loging with a user in this role I’m not able to see the new tenant (only Global and Private tenants)

Regards and thank you

Ana

El martes, 21 de agosto de 2018, 12:38:33 (UTC+2), anabella....@gmail.com escribió:

Thank you for the response.

We are doing a POC in order to test the multitenancy feature. The goal is to present readonly dashboards to diferent clients.

For each client we want to

  1. Define a custom index
  1. Define a tenant
  1. Have a RW user that indexes the data in the custom index and create the visualizations and dashboard in the tenant
  1. Have a read only user over that tenant in order to provide read only access to that dashboards

I have enabled the multitenancy feature but i’m not able to define the tenants.

It is not clear for me in the doc

Any help will be appreciated

Regards

Ana

El lunes, 20 de agosto de 2018, 10:19:15 (UTC+2), anabella....@gmail.com escribió:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Yes, that’s what I wanted to post as well :wink: You can always use the /_searchguard/authinfo endpoint for checking the mapped roles of the currently logged in user. Quite useful when debugging. Let me know if you have more questions regarding your PoC.

On Tuesday, August 21, 2018 at 8:15:11 AM UTC-5, anabella....@gmail.com wrote:

Hi,
I am newer for SG. I want to confirm:

  1. whether multy tennancy is only for commercialize.

  2. whether below config also can define read only dashboards

searchguard.readonly_mode.roles: ["sg_read_only_1", "sg_read_only_2", ...]

在 2018年8月21日星期二 UTC+8上午9:25:35,Jochen Kressin写道:

···

Hi,

it is possible to define read-only dashboards, but this is implemented via the multi-tenancy feature as you indicsted. With multi-tenancy, you can define multiple tenants per role, and then assign read/write or read-only permissions to these tenants.

Without multi-tenancy (Kibana default behavior), all saved objects end up in the same index without the possibility to separate them on a per-role basis or to assign permissions.

On Monday, August 20, 2018 at 3:19:15 AM UTC-5, anabella....@gmail.com wrote:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hi,

  1. yes, this is a commercial feature

  2. only partly. You can use the dashboard only feature to limit Kibana accessibility to dashboards (only) by setting the readonly_mode.roles as you described. However, this feature is implemented on Kibana only, so users would still be able to access the .kibana index by directly querying Elasticsearch.

···

On Tuesday, October 9, 2018 at 3:33:51 PM UTC+2, tuser4198@gmail.com wrote:

Hi,
I am newer for SG. I want to confirm:

  1. whether multy tennancy is only for commercialize.
  1. whether below config also can define read only dashboards
searchguard.readonly_mode.roles: ["sg_read_only_1", "sg_read_only_2", ...]

在 2018年8月21日星期二 UTC+8上午9:25:35,Jochen Kressin写道:

Hi,

it is possible to define read-only dashboards, but this is implemented via the multi-tenancy feature as you indicsted. With multi-tenancy, you can define multiple tenants per role, and then assign read/write or read-only permissions to these tenants.

Without multi-tenancy (Kibana default behavior), all saved objects end up in the same index without the possibility to separate them on a per-role basis or to assign permissions.

On Monday, August 20, 2018 at 3:19:15 AM UTC-5, anabella....@gmail.com wrote:

Hi, I’m running ELK 6.32 Stack with SearchGuard 6.

I have a doubt regarding to read only modes in Kibana

  1. Is it posiible to define read only dashboards in kibana?
  1. Is it dependent of the multy tennancy feature?

Thank you

Regards

Ana

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any