Using Reporting with Shield
editUsing Reporting with Shield
editReporting operates by creating and updating documents in Elasticsearch in response to user interation in Kibana.
To use Reporting with Shield enabled, you need to set up Kibana to work with Shield. You also need to create a role that grants read access to the Reporting indices and assign this role to all users you want to allow to use Reporting.
Prior to 2.4.6, the reporting roles required the write privilege, and there wasn’t a
reporting.roles.allow
setting. It’s highly recommended to upgrade to 2.4.6 and remove the write
privileges from the reporting roles.
Setting Up A Reporting Role
editSimilar to how you added a my_kibana_user
user role to roles.yml
to allow
users to use Kibana, you will need to create a role for those users to use Reporting as well.
Users will need both permissions to use the Reporting interface in Kibana
-
Create a
reporting_user
role that assigns read privileges to the reporting indices:reporting_user: indices: - names: '.reporting-*' privileges: - read
If you prefer, you can add the reporting index permissions to an existing role. However, this will require you add the role to the
reporting.roles.allow
setting as discussed below. -
If using a role name besides
reporting_user
, add the role to thereporting.roles.allow
setting in yourkibana.yml
-
Assign the
reporting_user
and your Kibana user role to all users you want to allow to use Reporting.-
If you’re using the default
file
realm, you can assign roles when you add a user, or modify the role assignments with theroles
command. For example, the following command creates a user namedbillmurr
and assigns themy_kibana_user
andreporting_user
roles:esusers useradd billmurr -r my_kibana_user,reporting_user -p password
-
If you are using an LDAP or Active Directory realm, you can either assign roles on a per user basis, or assign roles to groups of users. By default, role mappings are configured in
config/shield/role_mapping.yml
. For example, the following snippet assigns the user named Bill Murray to themy_kibana_user
andreporting_user
roles:my_kibana_user: - "cn=Bill Murray,dc=example,dc=com" reporting_user: - "cn=Bill Murray,dc=example,dc=com"
-