Per-user ES Index

[faxm0dem]

I'm actually dying for this feature ^^

[faxm0dem]

I just tested the CAS authentication and it works fine, thanks. Is it planned to add authorizations to the module, e.g. a user/index mapping of some sort, or is that being achieved by other modules?

[fangli]

Could you be more specific? Sorry I'm not sure I got your point.

[johnnye]

I thin that faxm0dem would like to be able to direct individuals to specific indices, essentially having a user specific config.js for each client.

so we could have a situation where

user: fangli => index: fangli-YYYY-mm-dd
user: faxm0dem => index: faxm0dem-YYYY-mm-dd
etc...

It's something I'd like to be able to use also.

[faxm0dem]

Exactly, in addition to:

user: toto => kibana-index: toto-kibana-int

Or more generally:

index: $user-YYYY-mm-dd
kibana-index: $user-kibana-int

[fangli]

Yep that's a fantastic feature but I need to figure out what the username should be since we have 3 different authentication way. and they can be used together.

[fangli]

Oh, let me add a config section which like:

"kibana_es_index": "kibana-user-%s%",     // Use "%s%" instead of the username
"username_for_kibana_index": "cas",   // cas, google or basic

How about it?

[fangli]

Thank you guys! This will be done within one or two days. if you have more suggestions please fire away.

[fangli]

Done.

[faxm0dem]

great thanks for your work!

Additionally, I was asking if it were possible to control the access to different ES indices. E.g.:

• userA should be able to access [logstash-]YYYY.MM.DD and [webservice-]YYYY.MM.DD
• userB should have acces to all indices
• userC should have access only to [logstash-2013.12.31]

etc.

[fangli]

@faxm0dem Why not have a try? This nodejs app uses "/__es/" as the prefix of ES endpoint, you can probably add the access control in the proxy library( https://github.com/fangli/kibana-authentication-proxy/blob/master/lib/es-proxy.js ) with a user-index mapping.

but I think it's a little inappropriate doing such things in the proxy layer, especially when ES does not have any access control module internally. I just want to keep it simple :)

[johnnye]

@faxm0dem have a look at this WIP https://github.com/johnnye/kibana-authentication-proxy/commit/fdd73cf63f8b4f1f0db71a069aa2e2b8b51ef9b0

You will need to also serve any dashboard json dynamically to specify the correct indices. As I said above, this is a WIP so more work needed.

[fangli]

@johnnye I love your idea but maybe it's a little over-complicating.

Now let's suppose we just want to restrict users to the authorised indices. and we can easily find that these query URLs are in some common patterns like: /es/kibana-int-fangli/* /es/the-data-index-for-fangli/*

With these patterns, we can easily restrict the query to pre-defined URL patterns and drop any unmatched query.

So I can access only /es/kibana-int-fangli/**\ or /es/the-data-index-for-fangli/****. No matter which index I set in kibana, I can only get the data from authorised index.

We need a map between username and authorised indices patterns also.

After all It's a good discussion and I'll reopen this issue. Poor English, hope you can get my point :)

[johnnye]

I'm new to node, so this is still WIP as I find my way round. Our use case involves time based indices, so johnnye-YYYY-mmm-dd I want to be able to access all of these, but my kibana-int needs to be kibana-int-johnnye.

If I was to use this in production I would not be using basic or CAS authentication so we can map the users email from oAuth directly to the index prefix, fangli, johnnye etc. I have it working, but it's a friday night so not sure that it is completely ok. Will update the feature branch and push.

[johnnye]

As mentioned above https://github.com/johnnye/kibana-authentication-proxy/commit/66f903c5afe954a7183c43f857cc878a96bea51f as you said might be an over complication.

[fangli]

Well, got your point. Our purpose and use case are probably different, but just hack it as you go since it's really a very simple project:)

[johnnye]

Probably best to close this ticket then. I'm considering forking the project to drive the config file from a database and adding in logging for the proxy response times.

[fangli]

Fantastic! I'll close it.