I am trying to set application user here, where I want him to have:
- write access to kibana global tenant
- read access to all test-app-* indices
- additional rights to test-app2-* indices
- _cat/mapping, _cat/indices _cat/aliases rights to test-app-* indices ( exclude .kibana* indices and any system indices )
- no rights to any system indices ( .monitoring, slm, ilm …)
I am able to get _cat/indices work with
GET _cat/indices/test-app-* but not without the allowed index prefix ( so if user doesnt know which indices he has rights to, he gets permission error )
_cat/aliases doesnt work unless I allow it for all indices.
sg_internal_users.yml
tu:
hash: "$2y$12$lCHHGvNxCla9BmrDeZYLvez9ArQAHdhc12zhCreE4ioDsoU/0SK96"
search_guard_roles:
- "SGS_KIBANA_USER"
- "TEST-USER"
sg_roles.yml
TEST-USER:
description: "test role"
cluster_permissions:
# allow _cat/indices
- "cluster:monitor/health"
- "cluster:monitor/state"
index_permissions:
- index_patterns:
- "test-app*"
allowed_actions:
# allow index stats, _cat/mapping, _cat/setting, _cat/aliases
- "indices:monitor/stats"
- "indices:monitor/settings/get"
- "indices:admin/mappings/get"
- "indices:admin/aliases/get"
- "SGS_READ"
- index_patterns:
- "test2-app*"
allowed_actions:
- "SGS_READ"
tenant_permissions:
- tenant_patterns:
- "SGS_GLOBAL_TENANT"
allowed_actions:
- "SGS_KIBANA_ALL_WRITE"
exclude_cluster_permissions: []
What I would like to get is if user logs in to devtools and tries_cat/indices only test-app-1, test-app-2 index is displayed, or only alias to those 2 indices are displayed. Is it possible ?