Multi tenant use case

[thekofimensah]

I have a use case where I have several different companies that will access the same ES instance, and each company will have 2 users: an admin and a read only user. I'm using Nginx/OwnHome/ReadoverREST combination to set the permissions for each of the user.

So company A will have access to their index, but some users will have admin privilages and some will have read only. The usernames will be adminA, and roA

Company B will also have the same situation, but adminB and roB

I want adminA to have access to roA's dashboards and be able to change and edit roA's dashboards so that they are relevant. I want adminB to edit roB but not see anything of company A's data. The own_home.local.groups option doesn't work for this use case because then company B has access to the same public index as company A.

Any ideas on how I could achieve this?

[wtakase]

What about using LDAP?

Create two LDAP groups such as companyA and companyB, and map your users, adminA, roA, adminB, roB, to the groups. Then, configure own_home.ldap options. https://github.com/wtakase/kibana-own-home#configuration-with-ldap

Finally, a user belonging to companyA LDAP group can see .kibana_companyA index.

[thekofimensah]

Would the resulting index for adminA and roA both be .kibana_companyA? Or would .kibana_adminA and .kibana_roA be created relatively?

[thekofimensah]

And/or how can I handle dashboard management without ldap. In the most simple case, I have a user that I want to give read-only access (using readonlyREST). What is the best way to initially set up that account so that it actually has dashboards/visuals inside?

[thekofimensah]

If there was an option to allow an admin user to be able to access/enter any of the .kibana_name indices, it would make dashboard management a breeze. It would work by having on the Own Home app page, for a specific user, he can access all .kibana indices and that would make it easy to edit any of the users' dashboards without the need for LDAP.

Does that make sense?

[wtakase]

What about this patch? After patching, define all .kibana indices such as .kibana_roA in own_home.local.groups options. Finally only admin, which has x-tenants-enabled header equaling to true, can see all the indices.

[julienmusat]

Hi, I've the same use case as seanziee and the patch you suggest wtakase is a great solution.

However, I'm using searchguard (instead of nginx) to manage authentication, do you know if I can set an header (x-tenants-enabled to true) as I could do with nginx ?

[wtakase]

I think you need to prepare/develop a patch to set the header for search-guard-kibana-plugin.

[thekofimensah]

@wtakase Hey sorry I took a while to test this out, I was building other parts of the stack. Now I'm back to test this. So how does one set x-tenants-enabled to true? As far as I know, you can't set specific users to have specific header in nginx.