maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/docs/development/security/index.asciidoc
Brandon Kobel add876281b
Adding RBAC Phase 1 Docs (#21178) 
* Beginning to work on the role management APIs. Added docs for GET

* Adding PUT docs

* Adding PUT details

* Adding delete docs

* Fixing linking

* Adding Kibana privileges section

* Fixing dashboard only mode docs

* Fixing a few more references to managing roles

* Beginning to work on authorization docs, might be moving some to
stack-docs

* Collapsing authorization description in the kibana privileges page

* Adding audit logging section

* Revising the language on the Kibana role management section

* Splitting back out the auth/privileges and adding legacy fallback
details

* Revising language around impact of disabling security

* Changing Kibana to {kib} and Elasticsearch to {es}

* Beginning to work on developer centric docs

* Fixing some formatting, adding some diagrams

* Adding note about the role management APIs

* Adding overview, fixing small syntax issues

* Fixing chunk name for transitioning to application privileges

* Adjusting tone for the authorization introduction

* Changing the tone and structure of the RBAC docs

* Deleting blog stuff after refactoring

* Addressing first round of peer review comments

* Fixing endpoints links

* Peer review suggested edits

* Addressing other PR feedback
2018-08-13 12:06:25 -04:00

12 lines
1.5 KiB
Text
Raw Blame History

[[development-security]]
== Security
Kibana has generally been able to implement security transparently to core and plugin developers, and this largely remains the case. {kib} on two methods that the <<development-elasticsearch, elasticsearch plugin>>'s `Cluster` provides: `callWithRequest` and `callWithInternalUser`.
`callWithRequest` executes requests against Elasticsearch using the authentication credentials of the Kibana end-user. So, if you log into Kibana with the user of `foo` when `callWithRequest` is used, {kib} execute the request against Elasticsearch as the user `foo`. Historically, `callWithRequest` has been used extensively to perform actions that are initiated at the request of Kibana end-users.
`callWithInternalUser` executes requests against Elasticsearch using the internal Kibana server user, and has historically been used for performing actions that aren't initiated by Kibana end users; for example, creating the initial `.kibana` index or performing health checks against Elasticsearch.
However, with the changes that role-based access control (RBAC) introduces, this is no longer cut and dry. {kib} now requires all access to the `.kibana` index goes through the `SavedObjectsClient`. This used to be a best practice, as the `SavedObjectsClient` was responsible for translating the documents stored in Elasticsearch to and from Saved Objects, but RBAC is now taking advantage of this abstraction to implement access control and determine when to use `callWithRequest` versus `callWithInternalUser`.
include::rbac.asciidoc[]
Reference in a new issue View git blame Copy permalink