Tenant membership implicitly grants read access to tenant indices that match a pre-configured pattern.
Separated ElasticSearch and Kibana sync operations - Kibana is optional.
Changes
Tenant membership implicitly grants read access to tenant indices that match the pattern tenant-{tenant}-*. For this purpose, an ElasticSearch role index-{tenant}-read is created for each Seacat tenant.
The index name pattern can be configured via tenant_indices option in batman:elasticsearch config section, e.g.:
To access a tenant space in Kibana, the user must have access to tools:kibana:read resource (or tools:kibana:all for read-write access). For this purpose, Kibana roles space-{tenant}-read and space-{tenant}-all are created for each Seacat tenant.
Resource authz:superuser maps to ElasticSearch role superuser.
Resource tools:kibana:admin maps to Kibana role kibana_admin.
Resource IDs can be changed using the following config options:
Summary
Changes
tenant-{tenant}-*
. For this purpose, an ElasticSearch roleindex-{tenant}-read
is created for each Seacat tenant.tenant_indices
option inbatman:elasticsearch
config section, e.g.:tools:kibana:read
resource (ortools:kibana:all
for read-write access). For this purpose, Kibana rolesspace-{tenant}-read
andspace-{tenant}-all
are created for each Seacat tenant.authz:superuser
maps to ElasticSearch rolesuperuser
.tools:kibana:admin
maps to Kibana rolekibana_admin
.elk:
-prefixed resources.