You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
tl;dr: Update your roles to not have direct access to the .kibana* indices -- this isn't needed anymore.
You're right, we use a single Kibana index for all spaces. The work we completed with RBAC Phase 1 was a prerequisite for us to complete spaces, and it allows us to no longer require users to have direct access to the .kibana index.
In other words, if you update your end-user roles to no longer have read/write access to .kibana*, then you can achieve the security you're looking for.
You'll also notice that the built-in kibana_user and kibana_dashboard_only_user roles still have direct access to .kibana. This was done to simplify upgrade scenarios for the remainder of 6.x, and is known as our Legacy Fallback mechanism.
Kibana version: 6.5
Elasticsearch version: 6.5
Describe the bug:
When a user is authorized to write in a Kibana space, he can write in other spaces, using Dev Tools.
That is a big security problem.
Steps to reproduce:
GET .kibana/_search
=> I get all documents whatever the spaceExpected behavior:
read and write access to other spaces should be blocked for my user
The text was updated successfully, but these errors were encountered: