Role-based access controledit

Role-based access control (RBAC) in Kibana relies upon the application privileges that Elasticsearch exposes. This allows Kibana to define the privileges that Kibana wishes to grant to users, assign them to the relevant users using roles, and then authorize the user to perform a specific action. This is handled within a secured instance of the SavedObjectsClient and available transparently to consumers when using request.getSavedObjectsClient() or savedObjects.getScopedSavedObjectsClient().

Kibana Privilegesedit

When Kibana first starts up, it executes the following POST request against Elasticsearch. This synchronizes the definition of the privileges with various actions which are later used to authorize a user:

POST /_security/privilege
Content-Type: application/json
Authorization: Basic kibana changeme

{
   "kibana-.kibana":{
       "all":{
           "application":"kibana-.kibana",
           "name":"all",
           "actions":[
               "version:7.0.0-alpha1-SNAPSHOT",
               "action:login",
               "action:*"
           ],
           "metadata":{}
       },
       "read":{
           "application":"kibana-.kibana",
           "name":"read",
           "actions":[
               "version:7.0.0-alpha1-SNAPSHOT",
               "action:login",
               "action:saved_objects/dashboard/get",
               "action:saved_objects/dashboard/bulk_get",
               "action:saved_objects/dashboard/find",
               ...
           ],"metadata":{}}
   }
}

The application is created by concatenating the prefix of kibana- with the value of kibana.index from the kibana.yml, so different Kibana tenants are isolated from one another.

Assigning Kibana Privilegesedit

Kibana privileges are assigned to specific roles using the applications element. For example, the following role assigns the all privilege at * resources (which will in the future be used to secure spaces) to the default Kibana application:

"new_kibana_user": {
   "applications": [
     {
       "application": "kibana-.kibana",
       "privileges": [
         "all"
       ],
       "resources": [
         "*"
       ]
     }
   ]
 }

Roles that grant Kibana privileges should be managed using the Kibana Role Management API or the Management / Security / Roles page, not directly using the Elasticsearch role management API. This role can then be assigned to users using the Elasticsearch user management APIs.

Authorizationedit

The Elasticsearch has privileges API determines whether the user is authorized to perform a specific action:

POST /_security/user/_has_privileges
Content-Type: application/json
Authorization: Basic foo_read_only_user password

{
   "applications":[
       {
           "application":"kibana-.kibana",
           "resources":["*"],
           "privileges":[
             "action:saved_objects/dashboard/save",
           ]
       }
   ]
}

Elasticsearch checks if the user is granted a specific action. If the user is assigned a role that grants a privilege, Elasticsearch uses the Kibana privileges definition to associate this with the actions, which makes authorizing users more intuitive and flexible programatically.

Once we have authorized the user to perform a specific action, we can execute the request using callWithInternalUser.