maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[DOCS] Improves documentation around multitenancy (#51632)

Browse source
This commit is contained in:
gchaps 2019-11-25 13:01:19 -08:00 committed by GitHub
parent c73b5dad18
commit 0f86a59799
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 22 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
docs/migration/migrate_7_0.asciidoc
View file

@ -176,10 +176,20 @@ Kibana 7.0 will only use the Node.js distribution included in the package.
[float]
==== Removed support for users relying on direct index privileges to the Kibana index in Elasticsearch
*Details:* With the introduction of Kibana RBAC in 6.4, users no longer require privileges to the Kibana index in Elasticsearch. Instead, users
should be granted <<kibana-privileges>>. Prior to 7.0, when a user that relies upon direct index privileges logs into Kibana, a deprecation warning is logged. If you are using the `kibana_user` or `kibana_dashboard_only_user` role to grant access to Kibana, or a custom role using <<kibana-privileges>>, no changes are required.
should be granted <<kibana-privileges>>. Prior to 7.0, when a user who relies upon direct index privileges logged into Kibana, a deprecation warning was logged.
*Impact:* You must change any roles which grant access to Kibana using index privileges to instead use <<kibana-privileges>>. Watcher jobs using the Reporting attachment type must be updated as well.
*Impact:* You must change any roles that grant access to Kibana using index privileges to use <<kibana-privileges>> instead.
Watcher jobs using the Reporting attachment type must also be updated.
If you use a custom `kibana.index` for multitenancy, you can
no longer use `kibana_user` or `kibana_dashboard_only_user` to provide access,
and will have to start using {kib} privileges.
In addition, roles cannot be shared across Kibana tenants when granting access to Kibana privileges.
For example, a tenant using `kibana.index: .kibana` will have its own set
of roles created to grant access to Kibana. If you create another tenant
at `kibana.index: .some-other-index`, it will need its own set of roles
to grant access to that tenant.
[float]
[[breaking_70_setting_changes]]

9
docs/setup/settings.asciidoc
View file

@ -123,9 +123,16 @@ Visualize.
`kibana.defaultAppId:`:: *Default: "home"* The default application to load.
`kibana.index:`:: *Default: ".kibana"* Kibana uses an index in Elasticsearch to
store saved searches, visualizations and dashboards. Kibana creates a new index
store saved searches, visualizations, and dashboards. Kibana creates a new index
if the index doesnt already exist. If you configure a custom index, the name must
be lowercase, and conform to {es} {ref}/indices-create-index.html[index name limitations].
+
When running multiple tenants of {kib} by changing the `kibana.index` in your `kibana.yml`,
you cannot use the `kibana_user` or `kibana_dashboard_only_user` roles
to grant access to {kib}.
You must create custom roles that authorize the user for that specific tenant.
Although multi-tenant installations are supported, the recommended approach
to securing access to {kib} segments is to grant users access to specific spaces.
`kibana.autocompleteTimeout:`:: *Default: "1000"* Time in milliseconds to wait
for autocomplete suggestions from Elasticsearch. This value must be a whole number

3
docs/user/security/authorization/index.asciidoc
View file

@ -6,7 +6,8 @@ The Elastic Stack comes with the `kibana_user` {ref}/built-in-roles.html[built-i
When you assign a user multiple roles, the user receives a union of the roles privileges. Therefore, assigning the `kibana_user` role in addition to a custom role that grants Kibana privileges is ineffective because `kibana_user` has access to all the features in all spaces.
NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`, you cannot use `kibana_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
NOTE: When running multiple tenants of Kibana by changing the `kibana.index` in your `kibana.yml`,
you cannot use `kibana_user` or `kibana_dashboard_only_user` to grant access. You must create custom roles that authorize the user for that specific tenant. Although multi-tenant installations are supported, the recommended approach to securing access to Kibana segments is to grant users access to specific spaces.
[role="xpack"]
[[kibana-role-management]]