New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support "View Dashboards Only mode" #48

Closed
rmcapote opened this Issue Dec 5, 2017 · 28 comments

Comments

Projects
None yet
8 participants
@rmcapote

rmcapote commented Dec 5, 2017

Hi,

I am enjoying using Search Guard v.6 (beta). Nice work!
I am wondering if the next version will support the "Kibana dashboard only mode" or if it is already supported and I missed how to configure it.

Regards,

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Dec 13, 2017

Owner

this is planned and we are aware of it, thx

Owner

floragunncom commented Dec 13, 2017

this is planned and we are aware of it, thx

@rmcapote

This comment has been minimized.

Show comment
Hide comment
@rmcapote

rmcapote Dec 14, 2017

Ok ;) Thank you for your reply!

rmcapote commented Dec 14, 2017

Ok ;) Thank you for your reply!

@jochenkressin

This comment has been minimized.

Show comment
Hide comment
@jochenkressin

jochenkressin Feb 11, 2018

Collaborator

We started working on this.

Collaborator

jochenkressin commented Feb 11, 2018

We started working on this.

@marcosbis

This comment has been minimized.

Show comment
Hide comment
@marcosbis

marcosbis Feb 27, 2018

Have you got any updates on this feature ?
Thanks

marcosbis commented Feb 27, 2018

Have you got any updates on this feature ?
Thanks

@jochenkressin

This comment has been minimized.

Show comment
Hide comment
@jochenkressin

jochenkressin Feb 27, 2018

Collaborator

We're working on this currently, should not be long until release.

Collaborator

jochenkressin commented Feb 27, 2018

We're working on this currently, should not be long until release.

@sanky186

This comment has been minimized.

Show comment
Hide comment
@sanky186

sanky186 Mar 21, 2018

By when is the release expected ? Or is it out already ?

sanky186 commented Mar 21, 2018

By when is the release expected ? Or is it out already ?

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Mar 21, 2018

Owner

very likely next week

Owner

floragunncom commented Mar 21, 2018

very likely next week

@sanky186

This comment has been minimized.

Show comment
Hide comment
@sanky186

sanky186 Apr 2, 2018

Hi Team, is the update containing readonly mode out ?

sanky186 commented Apr 2, 2018

Hi Team, is the update containing readonly mode out ?

@jochenkressin

This comment has been minimized.

Show comment
Hide comment
@jochenkressin

jochenkressin Apr 3, 2018

Collaborator

Added in Search Guard v22 and Kibana Plugin v11: https://docs.search-guard.com/latest/changelog-6-x-22

Collaborator

jochenkressin commented Apr 3, 2018

Added in Search Guard v22 and Kibana Plugin v11: https://docs.search-guard.com/latest/changelog-6-x-22

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 21, 2018

Hi ,

Is there any documentation on how to setup the dashboard only mode through searchgaurd.

iahmad-khan commented Apr 21, 2018

Hi ,

Is there any documentation on how to setup the dashboard only mode through searchgaurd.

@sanky186

This comment has been minimized.

Show comment
Hide comment
@sanky186

sanky186 Apr 21, 2018

Yes it has been updated in the documentation

sanky186 commented Apr 21, 2018

Yes it has been updated in the documentation

@sanky186

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 21, 2018

got it , thanks

iahmad-khan commented Apr 21, 2018

got it , thanks

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 21, 2018

hi , do we need to define those roles in searchguard config or only in kiaban.yml? or both?
I know the mapping needs to be done , but do we just need to declare the read only role in kibana yml file or also we need to first make that role in searchguard config?

iahmad-khan commented Apr 21, 2018

hi , do we need to define those roles in searchguard config or only in kiaban.yml? or both?
I know the mapping needs to be done , but do we just need to declare the read only role in kibana yml file or also we need to first make that role in searchguard config?

@sanky186

This comment has been minimized.

Show comment
Hide comment
@sanky186

sanky186 Apr 21, 2018

Only Kibana yaml. you can add existing users to the Kibana yaml . And, they will turn read-only in Kibana
Read-only rules in search guard are not for Kibana , they are for elastic.

sanky186 commented Apr 21, 2018

Only Kibana yaml. you can add existing users to the Kibana yaml . And, they will turn read-only in Kibana
Read-only rules in search guard are not for Kibana , they are for elastic.

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 21, 2018

but the documentation says nothing about users , it says about roles , so we can put roles in kibana yaml and then in searchguard config assign those roles to users?

iahmad-khan commented Apr 21, 2018

but the documentation says nothing about users , it says about roles , so we can put roles in kibana yaml and then in searchguard config assign those roles to users?

@mgustafsson1

This comment has been minimized.

Show comment
Hide comment
@mgustafsson1

mgustafsson1 Apr 21, 2018

Collaborator

Yes, you can define one or more read only roles in kibana.yml and then, in the config, make sure to assign one of those roles to the user(s) that should only be able to see the dashboard.
You could for example create a "sg_read_only" role and map it to any given user.

Collaborator

mgustafsson1 commented Apr 21, 2018

Yes, you can define one or more read only roles in kibana.yml and then, in the config, make sure to assign one of those roles to the user(s) that should only be able to see the dashboard.
You could for example create a "sg_read_only" role and map it to any given user.

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 21, 2018

hi ,

its not working in my case:

in kibana.yml

searchguard.readonly_mode.roles: ["sg_readonly1"]

in sg_internal_users file:

readall:
hash: ycwzwvLtZxwZ82RmiEunBbIPiAmGZduB
roles:
- sg_readonly1

iahmad-khan commented Apr 21, 2018

hi ,

its not working in my case:

in kibana.yml

searchguard.readonly_mode.roles: ["sg_readonly1"]

in sg_internal_users file:

readall:
hash: ycwzwvLtZxwZ82RmiEunBbIPiAmGZduB
roles:
- sg_readonly1

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Apr 21, 2018

Owner

"roles:

  • sg_readonly1"

This is a backend role, not a Search Guard role. You need to use the roles_mapping.yml to map a user or a backend role to a Search Guard role:

https://docs.search-guard.com/latest/mapping-users-roles

Use the authinfo endpoint to check the Search Guard roles of a user:

https://docs.search-guard.com/latest/demo-installer#testing-the-elasticsearch-installation

Owner

floragunncom commented Apr 21, 2018

"roles:

  • sg_readonly1"

This is a backend role, not a Search Guard role. You need to use the roles_mapping.yml to map a user or a backend role to a Search Guard role:

https://docs.search-guard.com/latest/mapping-users-roles

Use the authinfo endpoint to check the Search Guard roles of a user:

https://docs.search-guard.com/latest/demo-installer#testing-the-elasticsearch-installation

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 22, 2018

iahmad-khan commented Apr 22, 2018

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 23, 2018

@mgustafsson1 can you please write it step by step , what I did like this , but did not work:

  1. created a readonly role in kibana yml
  2. create a user in sg_internal users file
  3. mapped the user to the read only kiabana role in sg_role_mapping

result;
the user can login but cant see/view anything.

iahmad-khan commented Apr 23, 2018

@mgustafsson1 can you please write it step by step , what I did like this , but did not work:

  1. created a readonly role in kibana yml
  2. create a user in sg_internal users file
  3. mapped the user to the read only kiabana role in sg_role_mapping

result;
the user can login but cant see/view anything.

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan Apr 30, 2018

hi ,

any update?

Actually I want to hide all the controls on the kibana interface and let the users view the current dashboards only , is it possible with searchguard enterprise? and how to configure it.

iahmad-khan commented Apr 30, 2018

hi ,

any update?

Actually I want to hide all the controls on the kibana interface and let the users view the current dashboards only , is it possible with searchguard enterprise? and how to configure it.

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom
Owner

floragunncom commented May 3, 2018

@jochenkressin @mgustafsson1 can you have a look?

@jochenkressin

This comment has been minimized.

Show comment
Hide comment
@jochenkressin

jochenkressin May 4, 2018

Collaborator

Re-tested the dashboard mode, and everything seems to work as expected.

So to troubleshoot, I would suggest the following:

  • Use a vanilla installation of Search Guard first, don't change any default users or roles
  • Add the default sg_kibana_user user as readonly to kibana.yml:

searchguard.readonly_mode.roles: ["sg_kibana_user"]

  • Restart Kibana and log in with kibanaro/kibanaro

This should give you the readonly mode. If this works, then you can try to apply it to your own roles, but please try this vanilly approach first.

The dashboard only mode is not an Enterprise feature, it should also work in the Community Version.

Collaborator

jochenkressin commented May 4, 2018

Re-tested the dashboard mode, and everything seems to work as expected.

So to troubleshoot, I would suggest the following:

  • Use a vanilla installation of Search Guard first, don't change any default users or roles
  • Add the default sg_kibana_user user as readonly to kibana.yml:

searchguard.readonly_mode.roles: ["sg_kibana_user"]

  • Restart Kibana and log in with kibanaro/kibanaro

This should give you the readonly mode. If this works, then you can try to apply it to your own roles, but please try this vanilly approach first.

The dashboard only mode is not an Enterprise feature, it should also work in the Community Version.

@iahmad-khan

This comment has been minimized.

Show comment
Hide comment
@iahmad-khan

iahmad-khan May 4, 2018

iahmad-khan commented May 4, 2018

@jochenkressin

This comment has been minimized.

Show comment
Hide comment
@jochenkressin

jochenkressin May 4, 2018

Collaborator

Yes, that's what I was talking about. The dashboard only mode is released, and for all our unit and integration tests it works fine. So to figure out why it does not work in your installation, please follow the steps I provided and try to set up the dashboard only mode with our demo roles first. If this works we can have a look why it is failing for your self-defined roles.

Collaborator

jochenkressin commented May 4, 2018

Yes, that's what I was talking about. The dashboard only mode is released, and for all our unit and integration tests it works fine. So to figure out why it does not work in your installation, please follow the steps I provided and try to set up the dashboard only mode with our demo roles first. If this works we can have a look why it is failing for your self-defined roles.

@ameygat

This comment has been minimized.

Show comment
Hide comment
@ameygat

ameygat Jun 29, 2018

The readonly mode would not work with Kibana 5.6 or it will work ?

I get following error when I try with Kibana 5.6.2 and ES 5.6.2 :

log [06:23:17.107] [fatal] ValidationError: child "searchguard" fails because ["readonly_mode" is not allowed]

ameygat commented Jun 29, 2018

The readonly mode would not work with Kibana 5.6 or it will work ?

I get following error when I try with Kibana 5.6.2 and ES 5.6.2 :

log [06:23:17.107] [fatal] ValidationError: child "searchguard" fails because ["readonly_mode" is not allowed]

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Jun 29, 2018

Owner

No, readonly mode will not work for 5.x.

Owner

floragunncom commented Jun 29, 2018

No, readonly mode will not work for 5.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment