Reporting and security
editReporting and security
editReporting operates by creating and updating documents in Elasticsearch in response to user actions in Kibana.
To use reporting features with security features enabled, you need to configure security in Kibana. If you are automatically generating reports with Watcher, you also need to configure Watcher to trust the Kibana server’s certificate.
To enable users to generate reports, you must assign them the built-in reporting_user
role. Users will also need the appropriate Kibana privileges to access the objects
to report on and the Elasticsearch indices.
If you are using the native
realm
editTo assign roles, open the menu, then go to Stack Management > Security > Roles, use the user API.
This example shows how to use Roles page to create a user who has a custom role and the
reporting_user
role.
- Open the menu, then go to Stack Management > Security > Roles.
-
Click Create role, then give the role a name, for example,
custom_reporting_user
. -
Specify the indices and privileges.
Access to data is an index-level privilege, so in Create role, add a line for each index that contains the data for the report and give each index
read
andview_index_metadata
privileges. For more information, see Security privileges. -
Add space privileges.
Reporting users typically save searches, create visualizations, and build dashboards. They require a space that provides read and write privileges in Discover, Visualize, and Dashboard.
- Save your new role.
-
Open the menu, then go to Stack Management > Security > Users, add a new user, and assign the user the built-in
reporting_user
role and your new custom role,custom_reporting_user
.
With a custom index
editIf you are using Reporting with a custom index,
the xpack.reporting.index
setting should begin
with .reporting-*
. The default Kibana system user has
all
privileges against the .reporting-*
pattern of indices.
xpack.reporting.index: '.reporting-custom-index'
If you use a different pattern for the xpack.reporting.index
setting,
you must create a custom role with appropriate access to the index, similar
to the following:
- Open the menu, then go to Stack Management >Security > Roles.
-
Click Create role, then name the role
custom-reporting-user
. -
Specify the custom index and assign it the
all
index privilege. -
Open the menu, then go to Stack Management > Security > Users and create a new user with
the
kibana_system
role and thecustom-reporting-user
role. -
Configure Kibana to use the new account:
elasticsearch.username: 'custom_kibana_system'
With the user API
editThis example uses the user API to create a user who has the
reporting_user
role and the kibana_admin
role:
POST /_security/user/reporter { "password" : "x-pack-test-password", "roles" : ["kibana_admin", "reporting_user"], "full_name" : "Reporting User" }
If you are using an external identity provider
editIf you are using an external identity provider, such as
LDAP or Active Directory, you can either assign
roles on a per user basis, or assign roles to groups of users. By default, role
mappings are configured in
config/role_mapping.yml
.
For example, the following snippet assigns the user named Bill Murray the
kibana_admin
and reporting_user
roles:
kibana_admin: - "cn=Bill Murray,dc=example,dc=com" reporting_user: - "cn=Bill Murray,dc=example,dc=com"