READ ONLY access SEARCHGURAD

Search Guard
1

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.1

  • Installed and used enterprise modules, if any kibana

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

How should i restrict Kibana READ ONLY user access (should be able to only query the index).

role mapping:

···

sg_all_access:

users:

  • “bdmsys”

backendroles:

  • “BDM-ES-ADMIN”

sg_crud:

users:

  • “dbdm100”

backendroles:

  • “BDM-ES-WRITE”

sg_readonly_and_monitor:

users:

  • “bdmmon”

backendroles:

  • “BDM-ES-USER”

sg_kibana_server:

users:

  • “dddd”

sg_kibana_user:

backendroles:

  • “BDM-ES-USER”

  • “BDM-ES-ADMIN”

  • “BDM-ES-WRITE”

sg_monitor:

backendroles:

  • “BDM-ES-USER”

sg_alerting:

backendroles:

  • “BDM-ES-USER”

sg_own_index:

users:

  • “*”

roles:

sg_public:

cluster:

  • “cluster:monitor/main”

  • “CLUSTER_COMPOSITE_OPS_RO”

sg_all_access:

cluster:

  • “UNLIMITED”

indices:

‘*’:

‘*’:

  • “UNLIMITED”

tenants:

adm_tenant: “RW”

test_tenant_ro: “RW”

sg_readonly_and_monitor:

cluster:

  • “CLUSTER_MONITOR”

  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “INDICES_ALL”

sg_readall:

cluster:

  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “READ”

sg_crud:

cluster:

  • “CLUSTER_MONITOR”

  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “DATA_ACCESS”

  • “CREATE_INDEX”

sg_kibana_user:

readonly: true

cluster:

  • “MONITOR”

  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

?kibana*:

‘*’:

  • “MANAGE”

  • “INDEX”

  • “READ”

  • “DELETE”

‘*’:

‘*’:

  • “READ”

sg_kibana_server:

readonly: true

cluster:

  • “CLUSTER_MONITOR”

  • “CLUSTER_COMPOSITE_OPS”

  • “cluster:admin/xpack/monitoring*”

  • “indices:admin/template*”

  • “indices:admin/mappings/get”

indices:

?kibana*:

‘*’:

  • “INDICES_ALL”

?reporting*:

‘*’:

  • “INDICES_ALL”

?monitoring*:

‘*’:

  • “INDICES_ALL”

‘*’:

‘*’:

  • “indices:data/read/field_caps”

sg_own_index:

cluster:

  • “CLUSTER_COMPOSITE_OPS”

indices:

${user_name}:

‘*’:

  • “INDICES_ALL”

sg_manage_snapshots:

cluster:

  • “MANAGE_SNAPSHOTS”

indices:

‘*’:

‘*’:

  • “indices:data/write/index”

  • “indices:admin/create”

sg_monitor:

cluster:

  • “cluster:admin/xpack/monitoring/*”

  • “cluster:admin/ingest/pipeline/put”

  • “cluster:admin/ingest/pipeline/get”

  • “indices:admin/template/get”

  • “indices:admin/template/put”

  • “CLUSTER_MONITOR”

  • “CLUSTER_COMPOSITE_OPS”

indices:

?monitor*:

‘*’:

  • “INDICES_ALL”

?marvel*:

‘*’:

  • “INDICES_ALL”

?kibana*:

‘*’:

  • “READ”

‘*’:

‘*’:

  • “indices:data/read/field_caps”

sg_alerting:

cluster:

  • “indices:data/read/scroll”

  • “cluster:admin/xpack/watcher/watch/put”

  • “cluster:admin/xpack/watcher*”

  • “CLUSTER_MONITOR”

  • “CLUSTER_COMPOSITE_OPS”

indices:

?kibana*:

‘*’:

  • “READ”

?watches*:

‘*’:

  • “INDICES_ALL”

?watcher-history-*:

‘*’:

  • “INDICES_ALL”

?triggered_watches:

‘*’:

  • “INDICES_ALL”

‘*’:

‘*’:

  • “READ”

Action groups:

UNLIMITED:

  • “*”

INDICES_ALL:

  • “indices:*”

ALL:

  • “INDICES_ALL”

MANAGE:

  • “indices:monitor/*”

  • “indices:admin/*”

CREATE_INDEX:

  • “indices:admin/create”

  • “indices:admin/mapping/put”

MANAGE_ALIASES:

  • “indices:admin/aliases*”

MONITOR:

  • “INDICES_MONITOR”

INDICES_MONITOR:

  • “indices:monitor/*”

DATA_ACCESS:

  • “indices:data/*”

  • “CRUD”

WRITE:

  • “indices:data/write*”

  • “indices:admin/mapping/put”

READ:

  • “indices:data/read*”

  • “indices:admin/mappings/fields/get*”

DELETE:

  • “indices:data/write/delete*”

CRUD:

  • “READ”

  • “WRITE”

SEARCH:

  • “indices:data/read/search*”

  • “indices:data/read/msearch*”

  • “SUGGEST”

SUGGEST:

  • “indices:data/read/suggest*”

INDEX:

  • “indices:data/write/index*”

  • “indices:data/write/update*”

  • “indices:admin/mapping/put”

  • “indices:data/write/bulk*”

GET:

  • “indices:data/read/get*”

  • “indices:data/read/mget*”

CLUSTER_ALL:

  • “cluster:*”

CLUSTER_MONITOR:

  • “cluster:monitor/*”

CLUSTER_COMPOSITE_OPS_RO:

  • “indices:data/read/mget”

  • “indices:data/read/msearch”

  • “indices:data/read/mtv”

  • “indices:data/read/coordinate-msearch*”

  • “indices:admin/aliases/exists*”

  • “indices:admin/aliases/get*”

CLUSTER_COMPOSITE_OPS:

  • “indices:data/write/bulk”

  • “indices:admin/aliases*”

  • “CLUSTER_COMPOSITE_OPS_RO”

MANAGE_SNAPSHOTS:

  • “cluster:admin/snapshot/*”

  • “cluster:admin/repository/*”

2

Sorry, but I do not understand the question “How should i restrict Kibana READ ONLY user access (should be able to only query the index).”

What do you mean by query the index? A particular index? All indices?

If you are looking for a role that has RO access, only there’s the sg_readall role you can use:

sg_readall:
readonly: true
cluster:
- CLUSTER_COMPOSITE_OPS_RO
indices:
':
'’:
- READ

``

···

On Friday, October 26, 2018 at 8:30:22 PM UTC+2, rud wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version 6.1
  • Installed and used enterprise modules, if any kibana
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

How should i restrict Kibana READ ONLY user access (should be able to only query the index).

role mapping:

sg_all_access:

users:

  • “bdmsys”

backendroles:

  • “BDM-ES-ADMIN”

sg_crud:

users:

  • “dbdm100”

backendroles:

  • “BDM-ES-WRITE”

sg_readonly_and_monitor:

users:

  • “bdmmon”

backendroles:

  • “BDM-ES-USER”

sg_kibana_server:

users:

  • “dddd”

sg_kibana_user:

backendroles:

  • “BDM-ES-USER”
  • “BDM-ES-ADMIN”
  • “BDM-ES-WRITE”

sg_monitor:

backendroles:

  • “BDM-ES-USER”

sg_alerting:

backendroles:

  • “BDM-ES-USER”

sg_own_index:

users:

  • “*”

roles:

sg_public:

cluster:

  • “cluster:monitor/main”
  • “CLUSTER_COMPOSITE_OPS_RO”

sg_all_access:

cluster:

  • “UNLIMITED”

indices:

‘*’:

‘*’:

  • “UNLIMITED”

tenants:

adm_tenant: “RW”

test_tenant_ro: “RW”

sg_readonly_and_monitor:

cluster:

  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “INDICES_ALL”

sg_readall:

cluster:

  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “READ”

sg_crud:

cluster:

  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

‘*’:

‘*’:

  • “DATA_ACCESS”
  • “CREATE_INDEX”

sg_kibana_user:

readonly: true

cluster:

  • “MONITOR”
  • “CLUSTER_COMPOSITE_OPS_RO”

indices:

?kibana*:

‘*’:

  • “MANAGE”
  • “INDEX”
  • “READ”
  • “DELETE”

‘*’:

‘*’:

  • “READ”

sg_kibana_server:

readonly: true

cluster:

  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”
  • “cluster:admin/xpack/monitoring*”
  • “indices:admin/template*”
  • “indices:admin/mappings/get”

indices:

?kibana*:

‘*’:

  • “INDICES_ALL”

?reporting*:

‘*’:

  • “INDICES_ALL”

?monitoring*:

‘*’:

  • “INDICES_ALL”

‘*’:

‘*’:

  • “indices:data/read/field_caps”

sg_own_index:

cluster:

  • “CLUSTER_COMPOSITE_OPS”

indices:

${user_name}:

‘*’:

  • “INDICES_ALL”

sg_manage_snapshots:

cluster:

  • “MANAGE_SNAPSHOTS”

indices:

‘*’:

‘*’:

  • “indices:data/write/index”
  • “indices:admin/create”

sg_monitor:

cluster:

  • “cluster:admin/xpack/monitoring/*”
  • “cluster:admin/ingest/pipeline/put”
  • “cluster:admin/ingest/pipeline/get”
  • “indices:admin/template/get”
  • “indices:admin/template/put”
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”

indices:

?monitor*:

‘*’:

  • “INDICES_ALL”

?marvel*:

‘*’:

  • “INDICES_ALL”

?kibana*:

‘*’:

  • “READ”

‘*’:

‘*’:

  • “indices:data/read/field_caps”

sg_alerting:

cluster:

  • “indices:data/read/scroll”
  • “cluster:admin/xpack/watcher/watch/put”
  • “cluster:admin/xpack/watcher*”
  • “CLUSTER_MONITOR”
  • “CLUSTER_COMPOSITE_OPS”

indices:

?kibana*:

‘*’:

  • “READ”

?watches*:

‘*’:

  • “INDICES_ALL”

?watcher-history-*:

‘*’:

  • “INDICES_ALL”

?triggered_watches:

‘*’:

  • “INDICES_ALL”

‘*’:

‘*’:

  • “READ”

Action groups:

UNLIMITED:

  • “*”

INDICES_ALL:

  • “indices:*”

ALL:

  • “INDICES_ALL”

MANAGE:

  • “indices:monitor/*”
  • “indices:admin/*”

CREATE_INDEX:

  • “indices:admin/create”
  • “indices:admin/mapping/put”

MANAGE_ALIASES:

  • “indices:admin/aliases*”

MONITOR:

  • “INDICES_MONITOR”

INDICES_MONITOR:

  • “indices:monitor/*”

DATA_ACCESS:

  • “indices:data/*”
  • “CRUD”

WRITE:

  • “indices:data/write*”
  • “indices:admin/mapping/put”

READ:

  • “indices:data/read*”
  • “indices:admin/mappings/fields/get*”

DELETE:

  • “indices:data/write/delete*”

CRUD:

  • “READ”
  • “WRITE”

SEARCH:

  • “indices:data/read/search*”
  • “indices:data/read/msearch*”
  • “SUGGEST”

SUGGEST:

  • “indices:data/read/suggest*”

INDEX:

  • “indices:data/write/index*”
  • “indices:data/write/update*”
  • “indices:admin/mapping/put”
  • “indices:data/write/bulk*”

GET:

  • “indices:data/read/get*”
  • “indices:data/read/mget*”

CLUSTER_ALL:

  • “cluster:*”

CLUSTER_MONITOR:

  • “cluster:monitor/*”

CLUSTER_COMPOSITE_OPS_RO:

  • “indices:data/read/mget”
  • “indices:data/read/msearch”
  • “indices:data/read/mtv”
  • “indices:data/read/coordinate-msearch*”
  • “indices:admin/aliases/exists*”
  • “indices:admin/aliases/get*”

CLUSTER_COMPOSITE_OPS:

  • “indices:data/write/bulk”
  • “indices:admin/aliases*”
  • “CLUSTER_COMPOSITE_OPS_RO”

MANAGE_SNAPSHOTS:

  • “cluster:admin/snapshot/*”
  • “cluster:admin/repository/*”