Please refer to Analytic Stack (Apache Zeppelin)

...

...

1. Tenant system

The security principle is based on what it is called a “tenant”. Simply put, a tenant is a “space” that contains Kibana dashboards, visualizations and objects. We can then attribute read/write rights to users, or allow them to do some admin operations on those tenants. This will give them access to the dashboards, visualizations etc. contained in the tenants on which they have read access. They can obviously modify or create new ones assuming they have the correct rights.

In Datafari we have created two tenants:

• [Enterprise Edition Only] admin_tenant: tenant where we stored all the dashboards and visualizations reserved to the searchadmin user

• searchexpert_tenant: tenant where we stored all dashboards and visualizations reserved to the searchexpert user

...

Then click on the “Select” button of the tenant you want to active/switch to:

...

2. Users and roles

With OpenDistro, users and roles are managed independently from Datafari.

a. The users

There are 3 users defined by default:

• admin: this user has full access to the tenants and can perform any operation (creation/modification/deletion/maintenance) and is reserved to this purpose only

• [Enterprise Edition Only] searchadmin: this user has full access to the two tenants and can then read all the dashboards and visualization but can also modify them and create new ones

• searchexpert: this user has full read access to the searchexpert_tenant, so he can visualize any dashboard and visualization from this tenant, but cannot modify them or add new ones. He does not have access to the admin_tenant.

...

You can add new users by either using the Kibana UI or the REST API or through the file [DATAFARI_HOME]/elk/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#kibana
If you add new users with the file you will need to apply the changes by running the script [DATAFARI_HOME]/elk/elasticsearch/securityadmin_datafari.sh with the ‘datafari’ user. Also notice that the Datafari admin UI will only display the searchexpert and searchadmin users, not the other users you will create.

b. The roles

OpenDistro roles allow users to have read and/or write access to either index patterns, or tenants, or both.

...

• statistics : linked to the “statistics” Elasticsearch index, containing all the search statistics of Datafari

• monitoring : linked to the “monitoring” Elasticsearch index, containing all the monitoring logs of Datafari

• [Enterprise Edition Only] crawl : linked to the “crawl” Elasticsearch index, containing all the crawl logs of Datafari

• [Enterprise Edition Only] logs-* : linked to all the logs Elasticsearch indexes (the is one logs-xxxx-xx-xx index for each day where there are crawl data, ex: logs-2020-02-19), containing all the monitoring logs of Datafari

...

• search_expert: have read rights on “statistics” and “monitoring” index patterns and read rights on “searchexpert_tenant”

• [Enterprise Edition Only] search_admin: have read rights on all the index patterns, and read+write rights on the two tenants “admin_tenant” and “searchexpert_tenant”

...