Reporting and Security
editReporting and Security
editReporting operates by creating and updating documents in Elasticsearch in response to user actions in Kibana.
To use X-Pack reporting with X-Pack security enabled, you need to set up Kibana to work with X-Pack security. If you are automatically generating reports with Watcher, you also need to configure Watcher to trust the Kibana server’s certificate. For more information, see Reporting and Security.
To enable users to generate reports, assign them the built in reporting_user
and kibana_user
roles:
-
If you’re using the
native
realm, you can assign roles through Management / Users UI in Kibana or with theuser
API. For example, the following request creates areporter
user that has thereporting_user
andkibana_user
roles:POST /_xpack/security/user/reporter { "password" : "x-pack-test-password", "roles" : ["kibana_user", "reporting_user"], "full_name" : "Reporting User" }
-
If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in
config/shield/role_mapping.yml
. For example, the following snippet assigns the user named Bill Murray thekibana_user
andreporting_user
roles:kibana_user: - "cn=Bill Murray,dc=example,dc=com" reporting_user: - "cn=Bill Murray,dc=example,dc=com"
*The user generating reports also has to have read access privilege on the indexes underlying any visualizations they reference in their reports or watches. === Securing the Reporting Endpoints
In a production environment, you should restrict access to the X-Pack reporting endpoints to authorized users. This requires that you:
- Enable X-Pack security on your Elasticsearch cluster. For more information, see Getting started with security.
- Configure an SSL certificate for Kibana. For more information, see Configuring Security.
-
Configure Watcher to trust the Kibana server’s certificate by adding it to the Watcher truststore on each node:
-
Import the Kibana server certificate into the Watcher truststore using Java Keytool:
keytool -importcert -keystore watcher-truststore.jks -file server.crt
If the truststore doesn’t already exist, it is created.
-
Make sure the
xpack.http.ssl.truststore.path
setting inelasticsearch.yml
specifies the location of the Watcher truststore.
-
- Add one or more users who have the permissions necessary to use Kibana and X-Pack reporting. For more information, see Reporting and Security.
Once you’ve enabled SSL for Kibana, all requests to the X-Pack reporting endpoints
must include valid credentials. For example, see the following page which
includes a watch that submits requests as the built-in elastic
user:
Automating Report Generation.
For more information about configuring watches, see How Watcher works.