The new Search Guard version requires that users who shall be allowed to log into Kibana have a certain privilege
Can someone tell me what that certain privilege is?
Where can I see the definition of SGS_KIBANA_USER in human readable form?
In our environment we don’t have all the users that need to use Kibana mapped to SGS_KIBANA_USER role. The roles we use with Search Guard 7 for people who need to use Kibana were originally made by looking at the sg_kibana_user role in Search Guard 6 and making modifications as appropriate to our environment. (Each team users it’s own Kibana instance and we do not want teams to have permissions on all Kibana indices, for example.) But in Search Guard 6 the sg_kibana_user is defined in sg_roles.yml so one can simply look at that file to see what permissions it provides. By contrast in later versions of Search Guard SGS_KIBANA_USER isn’t defined in sg_roles.yml or anywhere else it can be found with grep.
Thanks, looks like I need to add SGS_PERSONAL_SESSIONS to the roles we use for people using Kibana.
Vendor recommendations and customer requirements are not always compatible. As of Kibana 8 Elastic have removed the kibana.index setting, which totally breaks our current way of doing Kibana where each team has it’s own Kibana instance which only they can use. So my intention is to upgrade to Search Guard FLX and then look at changing everything about how we do Kibana. As part of that I’ll look at making more use of the static roles. A quick look at it makes me think we could give all users who need Kibana access SGS_KIBANA_USER_NO_GLOBAL_TENANT plus an additional role which gives them permissions to their team’s indices.
As of Kibana 8 Elastic have removed the