When asking questions, please provide the following information:
-
Search Guard and Elasticsearch version 6.1
-
Installed and used enterprise modules, if any kibana
-
JVM version and operating system version
-
Search Guard configuration files
-
Elasticsearch log messages on debug level
-
Other installed Elasticsearch or Kibana plugins, if any
How should i restrict Kibana READ ONLY user access (should be able to only query the index).
role mapping:
···
sg_all_access:
users:
- “bdmsys”
backendroles:
- “BDM-ES-ADMIN”
sg_crud:
users:
- “dbdm100”
backendroles:
- “BDM-ES-WRITE”
sg_readonly_and_monitor:
users:
- “bdmmon”
backendroles:
- “BDM-ES-USER”
sg_kibana_server:
users:
- “dddd”
sg_kibana_user:
backendroles:
-
“BDM-ES-USER”
-
“BDM-ES-ADMIN”
-
“BDM-ES-WRITE”
sg_monitor:
backendroles:
- “BDM-ES-USER”
sg_alerting:
backendroles:
- “BDM-ES-USER”
sg_own_index:
users:
- “*”
roles:
sg_public:
cluster:
-
“cluster:monitor/main”
-
“CLUSTER_COMPOSITE_OPS_RO”
sg_all_access:
cluster:
- “UNLIMITED”
indices:
‘*’:
‘*’:
- “UNLIMITED”
tenants:
adm_tenant: “RW”
test_tenant_ro: “RW”
sg_readonly_and_monitor:
cluster:
-
“CLUSTER_MONITOR”
-
“CLUSTER_COMPOSITE_OPS_RO”
indices:
‘*’:
‘*’:
- “INDICES_ALL”
sg_readall:
cluster:
- “CLUSTER_COMPOSITE_OPS_RO”
indices:
‘*’:
‘*’:
- “READ”
sg_crud:
cluster:
-
“CLUSTER_MONITOR”
-
“CLUSTER_COMPOSITE_OPS_RO”
indices:
‘*’:
‘*’:
-
“DATA_ACCESS”
-
“CREATE_INDEX”
sg_kibana_user:
readonly: true
cluster:
-
“MONITOR”
-
“CLUSTER_COMPOSITE_OPS_RO”
indices:
?kibana*:
‘*’:
-
“MANAGE”
-
“INDEX”
-
“READ”
-
“DELETE”
‘*’:
‘*’:
- “READ”
sg_kibana_server:
readonly: true
cluster:
-
“CLUSTER_MONITOR”
-
“CLUSTER_COMPOSITE_OPS”
-
“cluster:admin/xpack/monitoring*”
-
“indices:admin/template*”
-
“indices:admin/mappings/get”
indices:
?kibana*:
‘*’:
- “INDICES_ALL”
?reporting*:
‘*’:
- “INDICES_ALL”
?monitoring*:
‘*’:
- “INDICES_ALL”
‘*’:
‘*’:
- “indices:data/read/field_caps”
sg_own_index:
cluster:
- “CLUSTER_COMPOSITE_OPS”
indices:
${user_name}:
‘*’:
- “INDICES_ALL”
sg_manage_snapshots:
cluster:
- “MANAGE_SNAPSHOTS”
indices:
‘*’:
‘*’:
-
“indices:data/write/index”
-
“indices:admin/create”
sg_monitor:
cluster:
-
“cluster:admin/xpack/monitoring/*”
-
“cluster:admin/ingest/pipeline/put”
-
“cluster:admin/ingest/pipeline/get”
-
“indices:admin/template/get”
-
“indices:admin/template/put”
-
“CLUSTER_MONITOR”
-
“CLUSTER_COMPOSITE_OPS”
indices:
?monitor*:
‘*’:
- “INDICES_ALL”
?marvel*:
‘*’:
- “INDICES_ALL”
?kibana*:
‘*’:
- “READ”
‘*’:
‘*’:
- “indices:data/read/field_caps”
sg_alerting:
cluster:
-
“indices:data/read/scroll”
-
“cluster:admin/xpack/watcher/watch/put”
-
“cluster:admin/xpack/watcher*”
-
“CLUSTER_MONITOR”
-
“CLUSTER_COMPOSITE_OPS”
indices:
?kibana*:
‘*’:
- “READ”
?watches*:
‘*’:
- “INDICES_ALL”
?watcher-history-*:
‘*’:
- “INDICES_ALL”
?triggered_watches:
‘*’:
- “INDICES_ALL”
‘*’:
‘*’:
- “READ”
Action groups:
UNLIMITED:
- “*”
INDICES_ALL:
- “indices:*”
ALL:
- “INDICES_ALL”
MANAGE:
-
“indices:monitor/*”
-
“indices:admin/*”
CREATE_INDEX:
-
“indices:admin/create”
-
“indices:admin/mapping/put”
MANAGE_ALIASES:
- “indices:admin/aliases*”
MONITOR:
- “INDICES_MONITOR”
INDICES_MONITOR:
- “indices:monitor/*”
DATA_ACCESS:
-
“indices:data/*”
-
“CRUD”
WRITE:
-
“indices:data/write*”
-
“indices:admin/mapping/put”
READ:
-
“indices:data/read*”
-
“indices:admin/mappings/fields/get*”
DELETE:
- “indices:data/write/delete*”
CRUD:
-
“READ”
-
“WRITE”
SEARCH:
-
“indices:data/read/search*”
-
“indices:data/read/msearch*”
-
“SUGGEST”
SUGGEST:
- “indices:data/read/suggest*”
INDEX:
-
“indices:data/write/index*”
-
“indices:data/write/update*”
-
“indices:admin/mapping/put”
-
“indices:data/write/bulk*”
GET:
-
“indices:data/read/get*”
-
“indices:data/read/mget*”
CLUSTER_ALL:
- “cluster:*”
CLUSTER_MONITOR:
- “cluster:monitor/*”
CLUSTER_COMPOSITE_OPS_RO:
-
“indices:data/read/mget”
-
“indices:data/read/msearch”
-
“indices:data/read/mtv”
-
“indices:data/read/coordinate-msearch*”
-
“indices:admin/aliases/exists*”
-
“indices:admin/aliases/get*”
CLUSTER_COMPOSITE_OPS:
-
“indices:data/write/bulk”
-
“indices:admin/aliases*”
-
“CLUSTER_COMPOSITE_OPS_RO”
MANAGE_SNAPSHOTS:
-
“cluster:admin/snapshot/*”
-
“cluster:admin/repository/*”