...
Info |
---|
Deprecated as of Datafari 5.2 |
Please refer to [DEPRECATED] Analytic Stack (Apache Zeppelin)
...
Expand | ||
---|---|---|
| ||
Starting with Datafari 5.0, the Elastic ELK stack has been replaced by the Opendistro |
...
on. This has brought some changes, |
...
especially concerning the security aspect |
...
: Opendistro provides |
...
an open source security plugin equivalent to the proprietary Elastic security suite. As a consequence, the access to the Kibana UI is |
...
not handled anymore by an apache proxy in front, but |
...
rather by the Opendistro plugin.
|
...
|
...
1. Tenant systemThe security principle is based on what it is called a “tenant” |
...
. Simply put, a tenant is a “space” |
...
that contains Kibana dashboards, visualizations and objects. We can then attribute read/write rights to users |
...
, or allow them to do some admin operations on those tenants |
...
. This will give them access to the dashboards, visualizations etc. |
...
contained in the tenants on which they have read access |
...
. They can obviously modify or create new ones |
...
assuming they have the correct rights. In Datafari we have created two tenants:
|
...
|
...
The tenants are declared and stored in the file To modify or create a tenant you can either:
In the Kibana UI, in case f you have access rights to several tenants, you will need to switch between them in order to view all the dashboards and visualizations. Please remember this, because only one tenant can be active at a time. This means that although globally you are entitled to visualise dashboards from separate tenants, if you not manually switch from one tenant to the other, you will not be able to see all of the dashboards. To switch between tenants click on the “Tenant” tab located in the left menu: Then click on the “Select” button of the tenant you want to active/switch to: 2. Users and rolesWith OpenDistro, users and roles are managed independently from Datafari. a. The usersThere are 3 users defined by default:
|
...
These users are defined in the file They are also created with the “admin” default password. To change their password you |
...
can use the admin UI (see further below) or you can do it manually :
Datafari provides an admin UI to simply modify the password of the searchadmin and searchexpert users but not for the admin user (for the latter, use the manual procedure above). This UI is located under the User Management → Manage Datafari Services Users: You can add new users by either using the Kibana UI or the REST API or through the file b. The rolesOpenDistro roles allow users to have read and/or write access to either index patterns, or tenants, or both. Index patterns are linked to Elasticsearch indexes and tell Kibana what Elasticsearch indexes to query to retrieve data and how to interpret the data/fields. So having read rights to an index pattern means that one can perform queries on the Elasticsearch indexes linked to the index pattern and retrieve the fields defined by the index pattern. Having write rights on an index pattern means that one can modify the index pattern to add or remove fields for example.
Concerning roles, two specific roles are provided with Datafari:
The roles are defined in the file You can add or modify roles either through the Kibana UI, or the REST API or in the file. Here is the official OpenDistro documentation concerning how to do with Kibana and the REST API: https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles To attribute roles to users, you need to define roles mapping. For the default roles described above, this is done in the file As usual if you made changes in the file you will then need to run the script |