Kibana Spaces and Access Management !

Kibana Spaces are like personas which can make specific features visible or hidden for users.

By creating and configuring Spaces you can have control over which features are visible in each space. For example, you can hide Advanced Settings in “Developer” space or show Index Management only in “Admin” space. You can define which features to show or hide when you add or edit a space. Each space will have separate saved objects like Dashboards, Visualization, Index Patterns etc.

Now, the point to note is that Spaces can only hide or show a feature on UI but it cannot disable or control root level access. So depending on the level of control required, Spaces should be configured with Security Roles so that fine grained access can be defined.

Lets look at some of the Use-Cases:

You have Operations Team, Developer Team, Sales Team and Security Admin. Members in each of these teams would need to use Kibana for specific requirement and you do not want to give extra permissions to all users to mess around with your setup.

UseCase 1: You want to create persona for each team so that members of each team can only see features which are necessary. Example, Developer Team can have their own dashboards while Operations Team can have other dashboards for monitoring etc. This can be easily achieved only with the use of Spaces and no Access Management via Roles required.

UseCase 2: You want to create persona for each team but also want to define which users can have read access on a particular feature and which can have high privileged access. (Fine grained access management)

UseCase 3: Along with persona you also want to restrict access based on indexes. Example, Dev team should only have access to a app index relevant to their service while operations can have access to add indexes.

These are just some basic example use cases, but there can be numerous scenarios based on teams and access complexities.

Consider there are 2 teams – Developer and Operations. We can define Spaces as follows –

Create Spaces

DeveloperSpace with following features visible- Discover, Dashboard, APM, Logs, DevTools and Index Pattern Management.

OperationsSpace with All features visible except – Machine Learning, SIEM and Canvas

Go to Management >> Spaces >> Create a Space

create_space
Create Space

Similarly create Space for Operations with list of features.

spaces
Spaces

If you now login with superuser – elastic, you can see option to select Space and accordingly features will be visible in Kibana.

select-space
Select Space

Access Management

Create Roles

By creating Roles and assigning privileges, we can control who can have what level of access on features within a space.

Lets create 4 roles-

DevReadOnly – With read only access to all DevSpace features DevAdmin – With full access to all DevSpace features   OperationsReadOnly – With read only access to all OperationsSpace features OperationsAdmin – With full access to all OperationsSpace features

Go to Management >> Security -> Roles >> Create role

Enter Role name, Index privileges and then add Space Privilege

space privileges
Space Privileges

Similarly create other roles and add space privileges accordingly. Note that you can assign privileges on more than one space also in each role.

Create Users

Now create users and assign appropriate role to the users.

Go to Management >> Security -> Users >> Create user

create user
Create User

Similar create a user for each Role.

users
Users

Now you can login with admins for each space and add / import their own Indexes, Dashboards, Searches, Visualizations etc. Users in one space cannot access objects in other space and this is how access management works.

Validate Access

Users with access to DeveloperSpace can see only enabled features-

DeveloperSpace
DeveloperSpace

Users with ReadOnly access will not be able to add Index or other objects in DeveloperSpace

image-15
Forbidden Error

Lets try to login devadmin user and add index pattern. It works fine because devadmin user has role with full access on Index Management.

image-16

Lets create a sample dashboard in Developer Space.

DeveloperSpace-Dashboards
DeveloperSpace-Dashboards

Now login with user in OperationsSpace and validate if objects of DeveloperSpace are accessible. You cannot see the dashboard created in DeveloperSpace, in the OperationsSpace.

image-19
OperationsSpace

So this is how access management can be done in Kibana. Please share with us interesting use cases which can help others better implement access management in Elastic – Kibana.

Note- Space module is available out of the box in Kibana while Security module is part X-Pack plugin which is a paid plugin. You can try it for 30 days only.

To help you get started and test this out we have a git project containing docker-compose for development purpose.

We have a post on Microservices logging using EFK that can further help on pushing logs to EFK stack.

Please share your feedback through comments or contact us section.

Categories
Comments
All comments.
Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.