Creating a new role

To create a new user, navigate to the Management UI and select Roles in the Security section, or if you are currently on the Users screen, click on the Roles tab. The Roles screen displays all the roles that are defined/available. By default, it displays the built-in/reserved roles that are part of the X-Pack security native realm:

X-Pack security also provides a set of built-in roles that can be assigned to users. These roles are reserved and the privileges associated with these roles cannot be updated. Some of the built-in roles are as follows:

  • kibana_system: This role grants the necessary access to read from and write to Kibana indexes, manage index templates, and check the availability of the Elasticsearch cluster. This role also grants read access for monitoring (.monitoring-*) and read-write access to reporting (.reporting-*) indexes. The default user, kibana, has these privileges.
  • superuser: This role grants access for performing all operations on clusters, indexes, and data. This role also grants rights to create/modify users or roles. The default user, elastic, has superuser privileges.
  • ingest_admin: This role grants permissions so that you can manage all pipeline configurations and all index templates.
To find the complete list of built-in roles and their descriptions, please refer to https://www.elastic.co/guide/en/x-pack/master/built-in-roles.html.

Users with the superuser role can create custom roles and assign them to the users using the Kibana UI.

Let's create a new role with a Cluster privilege called monitor and assign it to user1 so that the user can cluster read-only operations such as cluster state, cluster health, nodes info, nodes stats, and more.

Click on the Create role button in the Roles page/tab and fill in the details that are shown in the following screenshot:

To assign the newly created role to user1, click on the Users tab and select user1. In the User Details page, from the roles dropdown, select the monitor_role role and click on the Save button, as shown in the following screenshot:

A user can be assigned multiple roles.

Now, let's validate that user1 can access some cluster/node details APIs:

curl -u user1:password "http://localhost:9200/_cluster/health?pretty"
{
  "cluster_name" : "elasticsearch",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 5,
  "active_shards" : 5,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 2,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 71.42857142857143
}

Let's also execute the same command that we executed when we created user2, but without assigning any roles to it, and see the difference:

curl -u user2:password "http://localhost:9200/_cluster/health?pretty"
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [cluster:monitor/main] is unauthorized for user [user2]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [cluster:monitor/main] is unauthorized for user [user2]"
  },
  "status" : 403
}
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.102.235