Starting from Elastic 6.8, the security features are now available with the Basic License (previously, these core security features required a paid Gold subscription), including :
- TLS for encrypted communications
- File and native realm for creating and managing users
- Role-based access control for controlling user access to cluster APIs and indexes; also allows multi-tenancy for Kibana with security for Kibana Spaces
If you're using Kibana on Saagie, you can benefit from these features and now segregate access to your ES indices or Kibana Dashboards with roles.
Configuring Elastic Search
If your Elastic Search version is >= 6.8 this means your ES cluster is already configured with the default security configuration (using native realm). Your platform admin should have the password for the built-in elastic user (see here for more details) which is the superuser that can manage users and roles.
You can deploy Kibana on Saagie through a Smart App.
Before doing so, make sure you have the following environment variables configured :
- $ELASTICSEARCH_USERNAME : kibana
- $ELASTICSEARCH_PASSWORD : <ask your admin for the kibana user password>
When doing so, just make sure to use an official Kibana docker image >= 6.8 (e.g. docker.elastic.co/kibana/kibana:6.8.1)
Managing Users and Roles
To configure users and roles in the Elastic suite, you can use the Elastic Security API or use Kibana to do so. We recommend the 2nd option which is easier and more visual.
Kibana security screen
To allow Kibana to show the security screen under the Management console, you need to set the the xpack.security.enabled option to true to enable it. For that, just create the following environment variable in Saagie and start/restart your Kibana Smart App :
- $XPACK_SECURITY_ENABLED : true
Then you can connect to Kibana using the elastic superuser
Managing Kibana Spaces
Starting from version 6.5, Kibana introduces the Spaces feature which, paired with the RBAC feature, can allow you to specifiy which users/roles will have access to the different spaces and define inside each space your own visualisations and dashboards.
Let's say I've created some monitoring visualizations and I want to create some dashboards within Kibana that only a specific sets of users would be granted read-only access. These users won't have access to anything else in Kibana. I also want to create a user that will ingest metrics into Elastic Search but won't be able to connect to Kibana.
For that I need :
- A monitoring_writer role with full access to the monitoring indice in ES
- An Elastic user with the monitoring_writer role
- A Kibana space called Monitoring
- A monitoring_reader user that will access only the Monitoring space and the monitoring ES indice in read-only
- A Kibana user with the monitoring_reader role
- To import my dashboards inside the Monitoring space
- Reconnect to Kibana with the monitoring_viewer user and have a look at your dashboards inside the Monitoring space!