Versions Compared

Old Version 1

changes.mady.by.user Julien Massiera

Saved on

compared with

New Version 2

changes.mady.by.user Julien Massiera

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As consequence, the access to the Kibana UI is no more handled by an apache proxy in front, but is instead managed by the Opendistro plugin.

Info

When performing changes/modifications in any file mentioned in this documentation, you will need to run the following command in order to apply them (the OpenDistro stack need to be up and running):

  • Code Block
    sudo su datafari -c "[DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh"

1. Tenant system

The security principle is based on what it is called “tenant”, to be quick the tenant is a “space” where are created Kibana dashboards, visualizations and objects. We can then attribute rights to users in order to read/write or do some admin operations on those tenants, so they will have access to the dashboards, visualizations etc. linked to the tenants on which they have read access and even modify or create new ones if they have the rights.

...

You can add new users by either using the Kibana UI or the REST API or through the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#kibana
If you add new users with the file you will need to apply the changes by running the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh with the ‘datafari’ user

b. The roles

OpenDistro roles allow users to have read and/or write access to either index patterns, or tenants, or both.

...

Concerning roles, two specific roles are provided with Datafari:

  • search_expert: have read rights on “statistics” and “monitoring” index patterns and read rights on “searchexpert_tenant”

  • search_admin: have read rights on all the index patterns, and read+write rights on the two tenants “admin_tenant” and “searchexpert_tenant”

The roles are defined in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml along with some “standard” roles defined by default by OpenDistro

You can add or modify roles either through the Kibana UI, or the REST API or in the file. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles
As usual if you made changes in the file you will then need to run the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh with the ‘datafari’ user in order to apply them

To attribute roles to users, you need to define roles mapping. For the default roles described above, this is done in the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml. So you can modify or define new roles mapping in that file or you can use the Kibana UI or REST API. You can have a more detailed explanation about role mapping in the official OpenDistro documentation: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#map-users-to-roles

As usual if you made changes in the file you will then need to run the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh with the ‘datafari’ user in order to apply them !