search

fabric8io / openshift-elasticsearch-plugin

Apache License 2.0
27 stars 21 forks source link

Kibana Index mode not properly reflected in permissions #155

Closed jcantrill closed 6 years ago

jcantrill commented 6 years ago

We advertise permissions for the kibana index mode as:

    /**
     * The setting that determines the kibana index is used by users.  Valid values are one of the following:
     * 
     *   * unique (Default) - Each user gets a unique index for kibana visualizations (e.g. .kibana.USER_UUID)
     *   * shared_ops       - Users who are in an ops role will share an index (e.g. kibana_ops) while non ops users will 
     *                        have a unique index (e.g. .kibana.USER_UUID)
     *   * shared_non_ops   - Users who are in an ops role will share an index (e.g. kibana) while non ops users will 
     *                        share the default index (e.g. .kibana_non_ops)                      
     */

but we currently do not generate those permission that reflect this feature. Following is an example for and operations user while set to unique. I would expect a role like 'gen_kibana_SOMEHASH':

  "gen_project_operations" : {
    "cluster" : [
      "CLUSTER_OPERATIONS"
    ],
    "expires" : "1533221660151",
    "indices" : {
      "*?*?*" : {
        "*" : [
          "INDEX_ANY_OPERATIONS"
        ]
      },
      "?operations?" : {
        "*" : [
          "INDEX_OPERATIONS"
        ]
      }
    }
  },
  "sg_role_prometheus" : {
    "cluster" : [
      "METRICS"
    ]
  },
  "sg_role_curator" : {
    "cluster" : [
      "CLUSTER_MONITOR"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "READ",
          "MANAGE"
        ]
      }
    }
  },
  "sg_role_kibana" : {
    "cluster" : [
      "CLUSTER_COMPOSITE_OPS",
      "CLUSTER_MONITOR"
    ],
    "indices" : {
      "?kibana" : {
        "*" : [
          "INDICES_ALL"
        ]
      }
    }
  },
  "sg_role_fluentd" : {
    "cluster" : [
      "CLUSTER_MONITOR",
      "indices:data/write/bulk"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "CRUD",
          "CREATE_INDEX"
        ]
      }
    }
  },
  "sg_project_operations" : {
    "indices" : {
      "*?*?*" : {
        "*" : [
          "READ",
          "indices:admin/validate/query*",
          "indices:admin/get*",
          "indices:admin/mappings/fields/get*"
        ]
      },
      "?operations?*" : {
        "*" : [
          "READ",
          "indices:admin/validate/query*",
          "indices:admin/get*",
          "indices:admin/mappings/fields/get*"
        ]
      }
    }
  },
  "sg_role_admin" : {
    "cluster" : [
      "CLUSTER_ALL"
    ],
    "indices" : {
      "*" : {
        "*" : [
          "ALL"
        ]
      }
    }
  },
  "gen_ocp_kibana_shared" : {
    "cluster" : [
      "CLUSTER_MONITOR_KIBANA"
    ],
    "expires" : "1533221660151",
    "indices" : {
      "*" : {
        "*" : [
          "INDEX_ANY_KIBANA"
        ]
      }
    }
  }
}