Kibana Spaces are always visible across all tennants?

Kosmonafft · August 5, 2021, 9:35am

Hi folks,

I am trying out tennants.

I have two testusers, which reside in different tennants. With my admin user, which is mapped to standard Search Guard role “SGS_ALL_ACCESS” I have created additional Kibana Space and also an index pattern in there.

The result now is: Each of my testusers, which only have accesse to their own independant tennats can still see all the Kibana Spaces I have created, go inside and at least check the kibana index pattern names.

Can you give me a hint if there is a way to limit Kibana spaces to specific tennants so that in each tennant I can have an own set of Kibana Spaces which cannot be seen by users from other tennant?

Thanks

sirHusky · August 5, 2021, 10:46am

@Kosmonafft kibana spaces is elastic’s implementation of tenants. If you are using searchGuard’s implementation of multi-tenancy, Spaces should be disabled in kibana.yml with line:
xpack.spaces.enabled: false
(kibana restart is needed)

Once that is done, can you confirm if you are still having issues? If so, can you confirm which way you created and assigned the tenants, did you use yaml configuration files of kibana UI?
If configuration files, could you please provide these (redact any sensitive information)

Kosmonafft · August 9, 2021, 8:26am

Thanks for the info. Do you plan to integrate manual selection of spaces in the Kibana UI? Spaces are more comfortable to use for a user since he can see the space where he is currently in and which are available for selection.

What happens when one user has access to multiple tenants? Can he actively select which one he would like to see or does he see everything from both tenants combined in one kibana “view” ?

sirHusky · August 9, 2021, 8:34am

@Kosmonafft

Which version of SearchGuard are you using?

This feature is already implemented in the latest version, see below:

Screenshot 2021-08-09 at 09.31.20

Regarding what objects are visible:
Only the kibana objects saved to that particular tenant are visible, not a combination of different tenants.

Kosmonafft · August 9, 2021, 8:55am

I am using 7.13.2-51.0.0

sirHusky · August 9, 2021, 8:57am

Perfect, the screenshot is from your version.

Do you see the same options? if not, Do you have multitenancy enabled in kibana.yml?

searchguard.multitenancy.enabled: true
searchguard.multitenancy.tenants.preferred: ["Private", "Global"]

Kosmonafft · August 9, 2021, 9:19am

After I have enabled this I can see the tenants now.

My understanding was that tenant feature were already enabled in sgconfig.yml:

sg_config:
  dynamic:
    kibana:
      multitenancy_enabled: true

But it looks like it is for elasticseach and not kibana

sirHusky · August 9, 2021, 9:21am

Yes, needs entries from both sides, kibana and elasticsearch.

Glad you got this resolved

system · August 30, 2021, 9:22am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Searchguard with Spaces Search Guard	1	487	March 27, 2019
Wildcard access and access to all (non private) tenants, default values for new tenants Search Guard	5	578	January 17, 2019
Search Guard and Spaces Search Guard	5	694	January 10, 2019
Kibana Multitenancy not working Search Guard	5	663	May 30, 2018
Always visible indication of which Kibana tenant is being used Feature Requests	2	675	January 25, 2020

Kibana Spaces are always visible across all tennants?

Related Topics