Authorization

edit

Authorizing users to use Kibana in simple configurations is as easy as assigning the user either the kibana_user or kibana_dashboard_only_user reserved role. If you’re running a single tenant of Kibana against your Elasticsearch cluster, and you’re not controlling access to individual spaces, then this is sufficient and no other action is required.

Spaces

edit

If you want to control individual spaces in Kibana, do not use the kibana_user or kibana_dashboard_only_user roles. Users with these roles are able to access all spaces in Kibana. Instead, create your own roles that grant access to specific spaces.

Multi-tenant Kibana

edit

When running multiple tenants of Kibana, and changing the kibana.index in your kibana.yml, you must create custom roles that authorize the user for that specific tenant. You can use either the Management / Security / Roles page in Kibana or the Kibana Role Management API to assign a specific Kibana privilege at that tenant. After creating the custom role, you should assign this role to the user(s) that you wish to have access.

While multi-tenant installations are supported, the recommended approach to securing access to segments of Kibana is to grant users access to specific spaces.

Legacy roles

edit

Prior to Kibana 6.4, Kibana users required index privileges to the kibana.index in Elasticsearch. This approach is deprecated starting in 6.4, and you will need to switch to using Kibana privileges before 7.0. When a user logs into Kibana and they’re using a legacy role, the following is logged to your Kibana logs:

<username> relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0

To disable legacy roles from being authorized in Kibana, set xpack.security.authorization.legacyFallback to false in your kibana.yml.