Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control - Elasticsearch

If you want to grant access permissions on items such as clusters, indexes, and fields, you can use the role-based access control (RBAC) mechanism that is provided by the X-Pack plug-in of Elasticsearch. This mechanism allows you to grant permissions to custom roles and assign the roles to users to implement access control. Elasticsearch provides a variety of built-in roles. You can create custom roles based on the built-in roles to meet your business requirements. This topic describes how to create and configure a custom role to implement access control.

Background information

Elasticsearch supports the RBAC mechanism that is provided by the X-Pack plug-in. For more information, see User authorization.
Elasticsearch supports various security authentication features. For more information, see Identity authentication and authorization in Elasticsearch.

Procedure

Note This topic provides the operations on a V6.7 cluster and operations on a V7.X cluster. Operations on clusters of other versions may differ. The actual operations in the console prevail.

Create a role.

Log on to the Kibana console and go to the Kibana homepage as prompted.
For more information, see Log on to the Kibana console.
Go to the configuration management page.
- V6.7 cluster: In the left-side navigation pane, click Management.
- V7.X cluster: Click the icon in the upper-left corner and choose Management > Stack Management.
In the Security section, click Roles.

In the Roles section, click Create role. Then, configure the following parameters.


Parameter	Description
Role name	The name of the role.
Cluster privileges	The operation permissions on the cluster, such as the permissions to view the health status and settings of the cluster and the permission to create snapshots. For more information, see Cluster privileges.
Run As privileges	The user who assumes the role. This parameter is optional. If you do not configure this parameter, you can assign the role to a user when you create the user. For more information, see Create a user.
Index privileges	The operation permissions on indexes. For example, if you want to grant the role the read-only permissions on all fields in all indexes, set the Indices parameter to an asterisk () and the Privileges parameter to read. You can set the Indices parameter to an asterisk or regular expression. For more information, see Indices privileges. When you configure the Index privileges parameter, you need to configure the following parameters: Indices: the index pattern, such as heartbeat-. Note If no index patterns are available, click Index Pattern in the Kibana section of the Management page and create an index pattern as prompted. Privileges: the permissions that you want to grant to the role. Granted fields (optional): the fields on which you want to grant permissions. This parameter is optional.
Kibana privileges	The operation permissions on Kibana. Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

When you create a role, you must grant permissions to the role. In this example, the following permissions are granted:

Read-only permissions on a specific index. In this case, the user that assumes the role can only be used to access the index and cannot be used to perform other operations.
For more information, see Configure read-only permissions on indexes.
Permissions to view all or some dashboards.
For more information, see Configure operation permissions on dashboards.
Read and write permissions on some indexes and read-only permissions on the cluster, such as the permissions to view cluster health status, snapshots, and index settings, write data to indexes, or update index mappings.
For more information, see Configure read and write permissions on indexes and read-only permissions on your cluster.
Read-only permissions on the Discover page of the Kibana console and read-only permissions on a specific index. In this case, the user that assumes the role can be used to view the data in the index on the Discover page.
For more information, see Configure read-only permissions on the Discover page and a specific index.
Permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents. In addition, permissions to log on to the Kibana console are revoked.
For more information, see Configure permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents.

Click Create role.

Create a user and assign the role to the user.

Go to the configuration management page.
- V6.7 cluster: In the left-side navigation pane, click Management.
- V7.X cluster: Click the icon in the upper-left corner and choose Management > Stack Management.
In the Security section, click Users.

In the upper-right corner of the Users section, click Create new user. Then, configure the following parameters.


Parameter	Description
Username	The username, which is used to log on to the Kibana console. Specify a username based on your business requirements.
Password	The password of the user, which is used to log on to the Kibana console. Specify a username based on your business requirements.
Confirm password	The value must be the same as that of the Password parameter.
Full name	The full name of the user. Specify a full name based on your business requirements.
Email address	The email address of the user.
Roles	The role that you want to assign to the user. You can specify one or more roles. The roles can be built-in or custom roles. Important If you specify a user when you create a role, you still need to specify this parameter. Otherwise, an error is reported when you log on to the Kibana console as the user.

Click Create user.

Log on to the Kibana console as the user and perform operations to check whether the user has the related permissions.

Configure read-only permissions on indexes

Scenario

Grant the read-only permissions on a specific index to a common user. In this case, the user can be used to query data from the index in the Kibana console but cannot access clusters.

Role configuration

Table 1. Permission description
Permission type	Permission key	Permission value	Description
Index privileges	indices	kibana_sample_data_logs	The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
	privileges	read	The read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
	Granted fields (optional)	*	The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privileges	privileges	read	The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

Log on to the Kibana console as the common user and run an index read command. The system returns results as expected.
```
GET /kibana_sample_data_logs/_search
```
Run an index write command. The system returns an error message. The message indicates that the user is not authorized to perform write operations.
```
POST /kibana_sample_data_logs/_doc/1
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}
```

Configure operation permissions on dashboards

Scenario

Grant the read-only permissions on a specific index and the permissions to view the dashboards for the index to a common user.

Role configuration

When you create the user, assign the read-index and kibana_dashboard_only_user roles to the user. Role configuration

read-index: a custom role. You must manually create the role. This role has read-only permissions on the specific index.
kibana_dashboard_only_user: a Kibana built-in role. This role has the permissions to view the dashboards for the index.
Note
- In Kibana V7.0 and later, the kibana_dashboard_only_user role is deprecated. If you want to view the dashboards for a specific index, you need to only configure the read-only permissions on the index. For more information, see Configure read-only permissions on indexes.
- The kibana_dashboard_only_user role can be used with custom roles in various scenarios. If you want to configure the Dashboards only roles feature only for a custom role, perform the following steps: In the Kibana section of the Management page, click Advanced Settings. Then, in the Dashboard section of the page that appears, set the Dashboards only roles parameter to the custom role. The default value of this parameter is kibana_dashboard_only_user.

Verification

Log on to the Kibana console as the common user and view the dashboards for the specific index. View dashboards

Configure read and write permissions on indexes and read-only permissions on your cluster

Scenario

Grant the read, write, and delete permissions on specific indexes and the read-only permissions on your cluster and Kibana to a common user.

Role configuration

Read and write permissions on indexes and read-only permissions on a cluster

Table 2. Permission description
Permission type	Permission key	Permission value	Description
Cluster privileges	cluster	monitor	The read-only permissions on the cluster, such as the permissions to view the running status, health status, hot threads, node information, and blocked tasks of the cluster.
Index privileges	indices	heartbeat-,library	The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see roles-indices-privileges.
	privileges	read	The read-only permissions on the indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
		create_index	The permission to create indexes. If you want to specify an alias for an index when you create the index as the user, you must grant the manage permission to the user. Important The alias must meet the matching rules that are defined by the Indices parameter.
		view_index_metadata	The read-only permissions on index metadata. The permissions include the permissions to call the following APIs: aliases, aliases exists, get index, exists, field mappings, mappings, search shards, type exists, validate, warmers, settings, and ilm.
		write	The permission to perform all write operations on documents. The operations include mapping updates and the operations that are performed by calling the index, update, delete, or bulk API. The write permission involves more operation permissions than the create and index permissions.
		monitor	The permission to monitor all operations. The operations include the operations that are performed by calling the index recovery, segments info, index stats, or status API.
		delete	The permission to delete documents.
		delete_index	The permission to delete indexes.
	granted fields	*	The fields on which you want to grant permissions. The value * indicates all fields.
Kibana privileges	privileges	read	The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

Log on to the Kibana console as the common user and run the following commands. The system returns results as expected. Verification

View the details about indexes in the cluster
```
GET /_cat/indices?v
```
View the status of the cluster
```
GET /_cluster/stats
```
Query data in the product_info index
```
GET /product_info/_search
```
Query data in the product_info1 index
```
GET /product_info1/_search
```

Use a POST request to write data to the kibana_sample_data_logs index

POST /kibana_sample_data_logs/_doc/2
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}

Use a PUT request to write data to the product_info2 index

PUT /product_info2/_doc/1
{
    "productName": "testpro",
    "annual_rate": "3.22%",
    "describe": "testpro"
}

Delete the product_info index
```
DELETE product_info
```

Configure read-only permissions on the Discover page and a specific index

Scenario

Grant the read-only permissions on the Discover page of the Kibana console and the read-only permissions on a specific index to a common user. This way, the user can be used to view the data in the index on the Discover page.

Role configuration

Read-only permissions on the Discover page and a specific index

Table 3. Permission description
Permission type	Permission key	Permission value	Description
Cluster privileges	Privileges	monitor	The read-only permissions on your cluster, such as the permissions to view the running status, health status, hot threads, node information, node and cluster statistics, and blocked tasks of the cluster.
Index privileges	Indices	kibana_sample_data_ecommerce	The name of the index. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
	Privileges	read	The read-only permissions on the index. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
	Granted fields (optional)	*	The fields on which you want to grant permissions. The value `*` indicates all fields.
Kibana privileges	Privileges	read	The read-only permissions on Kibana. The permissions are granted to all spaces. Default value: none. This value indicates that no spaces are authorized to access Kibana. Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space. For example, when you assign the read-only permissions on the Discover page of the Kibana console, you must specify a Kibana space.

Verification

Log on to the Kibana console as the common user and view the data in the index on the Discover page. View index data on the Discover page

Configure permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents

Scenario

Grant the permissions to create and delete indexes, modify index configurations, and add, remove, modify, and query documents to a common user. In addition, prohibit the user from logging on to the Kibana console.

Role configuration

Table 4. Permission description
Permission type	Permission key	Permission value	Description
Index privileges	Indices	test*	The names of the indexes. You can specify a full index name, alias, wildcard, or regular expression. For more information, see Indices privileges.
	Privileges	create_index	The permission to create indexes. If you want to specify an alias for an index when you create the index as the user, you must grant the manage permission to the user.
		delete_index	The permission to delete indexes.
		index	The permission to index documents, update documents, and update index mappings.
		delete	The permission to delete documents.
		read	The read-only permissions on indexes. The read-only permissions include the permissions to call the count, explain, get, mget, scripts, search, and scroll APIs. For more information, see privileges-list-indices.
		manage	The permission to manage indexes. The management operations that you can perform include the operations that are performed by calling the aliases, analyze, cache clear, close, delete, exists, flush, mapping, open, force merge, refresh, settings, search shards, templates, or validate API.
	Granted fields (optional)	*	The fields on which you want to grant permissions. The value `*` indicates all fields.
Kibana privileges	Privileges	none	The default value of this parameter is none. This value indicates that no spaces are authorized to access Kibana. Important Versions earlier than Kibana V7.0 support only base privileges. Kibana V7.0 and later support base privileges and feature privileges. After you assign a base privilege to a role, the role has access permissions on all Kibana spaces. After you assign a feature privilege to a role, the role has access permissions only on a specific feature. When you assign a feature privilege, you must specify a Kibana space.

Verification

Access your cluster, create an index in the cluster, and delete the index.
Modify the configurations of an index. In this example, the data in the index is specified as cold data.
Add, remove, modify, and query documents.
Log on to the Kibana console.
The system prompts that the user does not have the required permissions.