Xpack Security for Elasticsearch 5 and Kibana 5

If XPACK is used skedler role require the following privileges, refer the screenshot given below

Cluster Privileges - monitor

Indices Privileges - read and write



Shield configuration for Elasticsearch version below 5

Scenario 1

Kibana managers need access to dataindex: 1 and 2.

Kibana Users should have access only to dataindex: 1.

Skedler generates reports based on user permission for dataindex and Skedler requires permission to ‘.kibana’ index for discovery.

Assuming shield is configured for kibana as follows,

1. For example, if you have both kibana_manager and kibana_user roles, and Skedler index configured for both the roles.

2. Once the configured roles have full permission to access the data index, Skedler can discover all the dashboards and searches from kibana. You can preview or generate report for dashboards and searches for the configured dataindex.

3. If (a) kibana_manager role has full permission to access ‘.kibana’ 'dataindex1' 'dataindex2' and ‘.skedler’ indexSkedler can discover all the dashboards and searches from kibana. You can preview or generate report for all dashboards and searches from 'dataindex1' and 'dataindex2'.

a) The required permissions for kibana_manager.

kibana_manager:

Cluster:

- cluster:monitor/nodes/info

- cluster:monitor/health

- cluster:monitor/state

indices:

'*':

- indices:data/read/field_stats

'.kibana':

- indices:admin/exists

- indices:admin/mapping/put

- indices:admin/mappings/fields/get

- indices:admin/refresh

- indices:admin/validate/query

- indices:admin/get

- indices:admin/create

- indices:data/read/msearch

- indices:data/read/get

- indices:data/read/mget

- indices:data/read/search

- indices:data/write/delete

- indices:data/write/index

- indices:data/write/update

'dataindex1':

- indices:admin/exists

- indices:admin/mappings/fields/get

- indices:admin/refresh

- indices:admin/validate/query

- indices:admin/create

- indices:admin/get

- indices:data/read/msearch

- indices:data/read/get

- indices:data/read/mget

- indices:data/read/search

- indices:data/write/index

'.skedler':

- indices:admin/exists

- indices:admin/mapping/put

- indices:admin/mappings/fields/get

- indices:admin/refresh

- indices:admin/validate/query

- indices:admin/get

- indices:admin/create

- indices:data/read/count

- indices:data/read/msearch

- indices:data/read/get

- indices:data/read/mget

- indices:data/read/search

- indices:data/write/delete

- indices:data/write/index

- indices:data/write/update

 

4. Set the skedler_elasticsearch_username and skedler_elasticsearch_password properties in reporting.yml with the Shield username and password created for kibana_manager or kibana_user role as required.






 

aSEZ--98ou4MqGhxugSNnM6r6U0VL4hxyQ.png




 

5. Set the kibana_elasticsearch_username and kibana_elasticsearch_password properties in reporting.yml with the Shield username and password created for kibana_manager or kibana_user role as required.


 

p6CojlCYEXQWXuaFm0-1XynTKF35buxETw.png



Scenario 2

1. Create a role for Skedler and provide full access to “.skedler” index and “.kibana” index. Include the below content for the Skedler role in roles.yml. For e.g., for the role the configuration added in roles.yml should be as given below (.kibana index, .skedler index and the dataindex):

Skedler:

Cluster:

· cluster:monitor/nodes/info

· cluster:monitor/health

· cluster:monitor/state

indices:

'*':

· indices:admin/mappings/fields/get

· indices:admin/validate/query

· indices:data/read/search

· indices:data/read/msearch

· indices:admin/get

'.kibana':

· indices:admin/exists

· indices:admin/mapping/put

· indices:admin/mappings/fields/get

· indices:admin/refresh

· indices:admin/validate/query

· indices:data/read/get

· indices:data/read/mget

· indices:data/read/search

· indices:data/write/delete

· indices:data/write/index

· indices:data/write/update

· indices:admin/create

'.skedler':

· indices:admin/exists

· indices:admin/mapping/put

· indices:admin/mappings/fields/get

· indices:admin/refresh

· indices:admin/validate/query

· indices:data/read/get

· indices:data/read/mget

· indices:data/read/search

· indices:data/read/count

· indices:data/write/delete

· indices:data/write/index

· indices:data/write/update

· indices:admin/create

2. Use the command elasticsearch/bin/shield/esusers roles skedler username -a skedler to create a user for the role Skedler.

3. Set the skedler_elasticsearch_username and skedler_elasticsearch_password properties in reporting.yml with the Shield username and password created for skedler role as shown:

 


mmWAU367pSRrypkSqoAfmnYBQxf7HwH7OQ.png




4. Set the kibana_elasticsearch_username and kibana_elasticsearch_password properties in reporting.yml with the Shield username and password created for skedler role as shown:

 


NpO5Mage9twQMNj5r_SnaGZ0sXJXry8NSw.png



Kibana Shield Plugin Configuration

On successfully installing the shield plugin in Kibana, the Login page is displayed when accessing Kibana.

XYhut8zUUyDnC2_PfsDE1vB6aZ0DDCpEbg.png



 

To make the Shield plugin in Kibana work in Skedler, set the variable kibana_shield_plugin to Yes in skedler_home/config/reporting.yml. By default, the variable value is set as No.

The Shield Configuration variable must be set. Follow the steps in the Shield Configuration section for more information.

1. On configuring the Shield variables, the Login page is displayed.


 

fWwwxNv04kc278Dd3gP_clEmDRil-gxoUQ.png



 

2. Enter Kibana login credentials in the username and password field, and click Login. The Skedler Homepage is displayed on successfully logging in.

3. To logout, click Logout icon in the Skedler Homepage.


          tvHpNzpVl3tWjKPoPglQ9c0-1XhHyD6ewg.png