Help Center> Cloud Search Service> Best Practices> Permission Configuration> Creating an Elasticsearch User and Configuring Index Permissions
Updated on 2024-07-02 GMT+08:00
View PDF

Creating an Elasticsearch User and Configuring Index Permissions

You can use the Role-Based Access Control (RBAC) model in an Elasticsearch security cluster of version 7.6.2.

Context

CSS uses the opendistro_security plug-in to provide security cluster capabilities. The opendistro_security plug-in is built based on the RBAC model. RBAC involves three core concepts: user, action, and role. RBAC simplifies the relationship between users and actions, simplifies permission management, and facilitates permission expansion and maintenance. The following figure shows the relationship between the three.

Figure 1 User, action, and role

In addition to the RBAC model, Elasticsearch has an important concept called tenant. RBAC is used to manage user authorization, and tenants are used for information sharing across tenants. In a tenant space, IAM users can share information such as dashboard data and index patterns.

By default, users can view only the index patterns and dashboard information in their own private tenant spaces. Create a user named test. By default, a .kibana_xxx_test index is created to store the content of the private space of test. Similarly, the private tenant space of the admin account is stored in .kibana_xxx_admin. To share the index pattern of the current tenant or another tenant on the dashboard, you can create a global tenant space. Other users can switch to the global tenant space to access shared data.

Creating a User and Assigning Permissions

  1. Use Kibana to create a user.

    1. Log in to the CSS management console.
    2. Choose Clusters in the navigation pane. On the Clusters page, locate the target cluster and click Access Kibana in the Operation column.

      Enter the administrator username and password to log in to Kibana.

      • Username: admin (default administrator account name)
      • Password: Enter the administrator password you set when creating the cluster in security mode.
      Figure 2 Login page
    3. Click the Security icon on the Kibana operation page.
      Figure 3 Security page
    4. On the Security page, choose Authentication Backends > Internal Users Database.
      Figure 4 Creating a user
    5. On the Internal Users Database page, select +.
    6. On the user creation page, set the username and password, and click Submit. The username test is used as an example.
      Figure 5 Adding user information

      The user will be displayed in the user list.

  2. Create a role and grant permissions to the role.

    1. On the Security page, click Roles.
      Figure 6 Open Distro Security Roles page
    2. On the Open Distro Security Roles page, click +.
    3. Enter a role name on the Overview page.
      Figure 7 Overview page
    4. On the Cluster Permissions tab, configure CSS cluster permissions.
      Figure 8 Cluster Permissions tab
    5. On the Index Permissions tab, click Add index permissions.
      Figure 9 Index Permissions tab
      • Index patterns: Set this parameter to the name of the index whose permission needs to be configured. For example, my_store.
      • Configure Permissions: Action Groups as required, for example, select the read-only permission Search.
    6. On the Tenant Permissions page, set role permissions.

      After the configuration is complete, the role will be displayed.

  3. Map a user with a role to bind them.

    1. On the Security page, click Role Mappings.
      Figure 10 Role Mappings page
    2. Click + to add the mapping between users and roles.
      Figure 11 Adding user-role mappings
    3. Click Submit.
    4. Verify that the configuration takes effect in Kibana.

Creating a User Having the Kibana Access Permission

  1. Create a user named test. For details, see 1.
  2. Map a user with a role to bind them.

    1. On the Security page, click Role Mappings.
    2. On the Role Mappings page, click kibana_user.
      Figure 12 kibana_user role

      The kibana_user role has the permission for the .kibana* index. The dashboards and index patterns operated on the Kibana page are saved in .kibana*. The test user is mapped to kibana_user, indicating that the test user has the Kibana permission.

    3. Click + to add a user-role mapping.
    4. In the Users area, select the test user.
    5. Click Submit.

      After the configuration is complete, switch to the test user to check whether the permission takes effect.

Granting a New User the Permission for the index*

The newly created test user can access Kibana and have permissions for the index patterns, Discover, and Dashboards of Kibana. However, this does not mean that the test user can view any .kibana space. By default, the test user can view only the data of its private tenant space and the global tenant space. To access other tenant spaces, you need to define other tenant permissions in the role.

  1. Select Roles from the Security drop-down list box.
  2. On the Open Distro Security Roles page, click + to add role permissions.
  3. On the Overview tab, set the role name to Role1.
  4. On the Index Permissions tab, click Add index permissions.

    Figure 13 Configuring permissions

    • Index patterns: Enter index*.
    • Permissions: Action Groups: Select permissions as needed. For a query permission, select read. For a write permission, select write. For details about the bottom-layer actions corresponding to operations, see the description of the permission module on the Kibana page. Take read as an example. Select indices:data/read* and indices:admin/mappings/fields/get*. indices:data/read* contains all permissions in indices:data/read/, including indices:data/read/get, indices:data/read/mget, and indices:data/read/search.

  5. Complete the settings and check Role1.
  6. On the Security page, click Role Mappings.
  7. On the Role Mappings page, click + to add the mapping between the test user and the Role1 role.
  8. Click Submit.

    After the configuration is complete, the test user has the read permission on index*.

Sharing the Index Pattern and Dashboard Information of the admin Account with the test User

Generally, a new user does not have the permission to create an index pattern, and cannot manage data due to service relationship settings. In this case, the admin account creates an index pattern, manages dashboard and other report information, and shares the information with the test user.

Perform the following operations:

  1. Create an index pattern and a dashboard in global_tenant as the admin user.
  2. All tenants can directly access global_tenant. However, if there are too many users from different departments, the access performance may be poor. You can perform the following steps to improve performance:
    1. On the Security page, click Tenants. Create a tenant by department as the admin user, for example, test_tenant.
      Figure 14 Creating a tenant
    2. Switch to the test_tenant department.
      Figure 15 Switching to test_tenant
    3. Under test_tenant, create index patterns and dashboards as needed.
    4. On the Security page, click Roles. Click Role1 corresponding to the test user. Assign test_tenant to Role1 on the Tenant Permissions tab.

      Save the settings and switch to the test user. The test user can access the content in the test_tenant space.

Parent topic: Permission Configuration