What are the "certain privilege" that Kibana users need?


The new Search Guard version requires that users who shall be allowed to log into Kibana have a certain privilege

Can someone tell me what that certain privilege is?

Where can I see the definition of SGS_KIBANA_USER in human readable form?

In our environment we don’t have all the users that need to use Kibana mapped to SGS_KIBANA_USER role. The roles we use with Search Guard 7 for people who need to use Kibana were originally made by looking at the sg_kibana_user role in Search Guard 6 and making modifications as appropriate to our environment. (Each team users it’s own Kibana instance and we do not want teams to have permissions on all Kibana indices, for example.) But in Search Guard 6 the sg_kibana_user is defined in sg_roles.yml so one can simply look at that file to see what permissions it provides. By contrast in later versions of Search Guard SGS_KIBANA_USER isn’t defined in sg_roles.yml or anywhere else it can be found with grep.

You can find the role definition here:

However, as said in the docs, it is not recommended to redefine such roles, as they may change and will give you thus a constant maintenance burden.

Thanks, looks like I need to add SGS_PERSONAL_SESSIONS to the roles we use for people using Kibana.

Vendor recommendations and customer requirements are not always compatible. :wink: As of Kibana 8 Elastic have removed the kibana.index setting, which totally breaks our current way of doing Kibana where each team has it’s own Kibana instance which only they can use. So my intention is to upgrade to Search Guard FLX and then look at changing everything about how we do Kibana. As part of that I’ll look at making more use of the static roles. A quick look at it makes me think we could give all users who need Kibana access SGS_KIBANA_USER_NO_GLOBAL_TENANT plus an additional role which gives them permissions to their team’s indices.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.