ReadonlyREST
Portal
develop
develop
  • README
  • For Elasticsearch
    • Audit configuration
    • External to local groups mapping
    • FIPS mode
    • FLS engine
    • indices rule - Index not found scenario
    • indices rule - ES Templates handling
  • For Kibana
    • Impersonation (Enterprise)
    • Kibana 7.8.x and older
    • ReadonlyREST API
  • For ECK
  • Universal Builds
  • Examples
    • Multi-tenancy Elastic Stack (Enterprise)
    • Multi-user Elastic Stack (PRO)
    • SAML SSO (Enterprise)
      • Keycloak
      • Microsoft Azure AD
      • Microsoft ADFS
      • Duo Security MFA
    • OpenID Connect (OIDC) (Enterprise)
      • Keycloak
    • Impersonation (Enterprise)
      • Creating Test Settings
      • Defining external services mock configurations
      • Impersonating users
    • ROR cluster with Elastic Cloud integration
      • Docker-based playground
      • Configuration details
    • Custom middleware (Enterprise)
      • Enriching the metadata
      • Reject machine-to-machine traffic using custom metadata ACL rules
      • Reordering available tenancies
      • Available rorRequest API
      • Secure Logstash
      • Secure Metricbeat
  • Contribution License Agreement
  • Commercial Licenses
  • Changelog
Powered by GitBook
On this page
  • Users and capabilities
  • Before you start
  • Setup: the Elasticsearch side
  • Setup: the Kibana side
  • Running
  • Logging in

Was this helpful?

Edit on GitHub
  1. Examples

Multi-user Elastic Stack (PRO)

PreviousMulti-tenancy Elastic Stack (Enterprise)NextSAML SSO (Enterprise)

Last updated 6 months ago

Was this helpful?

()

This document will guide you through setting up your Elasticsearch and Kibana stack with ReadonlyREST such that:

  • 3 users will be able to login into Kibana using their own set of credentials

  • All users will see the same Kibana dashboards, but may be seeing different subsets of the whole data contained in Elasticsearch.

Users and capabilities

For this tutorials, we want to have three users, each of them has a distinct access level to a shared Kibana tenancy (set of dashboards and settings).

"admin"
"rw_usr"
"ro_usr"

Can create, edit, delete dashboards

✅

✅

Can change Kibana settings

✅

✅

Only sees logstash data from 2019

✅

Can see "add", "delete", "edit" buttons

✅

✅

"dev-tools" Kibana App is hidden

✅

✅

"readonlyrest" Kibana App is hidden

✅

NB: ReadonlyREST for Elastisearch and ReadonlyREST PRO for Kibana have an great amount of features like groups, connector for external systems like LDAP, etc. Don't forget to visit the full documentation and the forum to know more about it. NB: This guide works with ROR Enterprise as well.

Before you start

For the scope of this guide, we will assume:

  • You will have a functioning installation of Elasticsearch and Kibana

  • You have

  • You have

Setup: the Elasticsearch side

On the same directory with your elasticsearch.yml (default: config/, create a file called readonlyrest.yml and write the following settings into it.

readonlyrest:

    access_control_rules:

    #########################################################
    # These credentials shall be used by the logstash daemon.
    #########################################################  
    - name: "::LOGSTASH::"
      auth_key: logstash:logstash
      actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["*logstash-*"]


    #####################################################################################
    # These credentials have no limitations, and shall be used only by the Kibana deamon.
    #####################################################################################
    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana

    #######################
    # Actual human users...
    #######################
    - name: "::RO::"
      auth_key: ro_usr:dev
      indices: ["logstash-2019*"] # <--- can see only data from 2019
      kibana:
        access: ro
        hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

    - name: "::RW::"
      auth_key: rw_usr:dev
      indices: ["logstash-*"]
      kibana:
        access: rw
        hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]

    - name: "::ADMIN::"
      auth_key: admin_usr:dev
      indices: ["logstash-*"]
      kibana:
        access: admin

Setup: the Kibana side

With ROR, we try as much as possible to keep all the settings withing the Elasticsearch domain. Therefore, you'll notice how few settings are needed on the Kibana side, apart from actually installing the plugin.

Open up config/kibana.yml and add/edit the following settings:

# Kibana server use ::KIBANA-SRV:: credentials
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

# ReadonlyREST required properties
readonlyrest_kbn.cookiePass: '12312313123213123213123abcdefghijklm'

Running

Fire up Elasticsearch

$ bin/elasticsearch

And then Kibana

$ bin/kibana

Logging in

Now you are ready to point your browser to the Kibana server IP (defaulting on port 5601) and you should see a login prompt. You can login as any user i.e. "rw_usr", or "admin" and the password is always "dev".

Just remember to login with a RW user first, so Kibana can create its own default settings.

If you don't have the ROR (or ) plugin for Kibana, get yourself a two weeks free trial build

PRO
installed the ROR plugin for Elasticsearch
installed the ROR PRO/Enterprise plugin for Kibana
PRO
Enterprise