[DOCS] Adds example of assigning roles in Reporting #52757
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -9,19 +9,56 @@ To use {reporting} with {security} enabled, you need to | |||||
| <<using-kibana-with-security,set up {kib} to work with {security}>>. | ||||||
| If you are automatically generating reports with | ||||||
| {ref}/xpack-alerting.html[{watcher}], you also need to configure {watcher} | ||||||
| to trust the {kib} server's certificate. | ||||||
| //// | ||||||
| For more information, see | ||||||
| <<securing-reporting>>. | ||||||
| //// | ||||||
|
|
||||||
| [[reporting-app-users]] | ||||||
| To enable users to generate reports, you must assign them the built-in `reporting_user` | ||||||
| role. Users will also need the appropriate <<kibana-privileges, {kib} privileges>> to access the objects | ||||||
| to report on and the {es} indices. | ||||||
|
|
||||||
|
|
||||||
| ==== If you are using the `native` realm | ||||||
|
|
||||||
| You can assign roles through the | ||||||
| *Management* app in Kibana or with the `user` API. | ||||||
| This example shows to use *Management* to create a user who has a custom role and the | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| `reporting_user` role. | ||||||
|
|
||||||
| . Go to *Management > Roles*, and click *Create role*. | ||||||
|
|
||||||
| . Give the new role a name, for example, `custom_reporting_user`. | ||||||
|
|
||||||
| . Specify the indices and privileges. | ||||||
| + | ||||||
| Access to data is an index-level privilege, so in *Create role*, | ||||||
| add a line for each index that contains the data for the report and give each | ||||||
| index `read` and `view_index_metadata` privileges. | ||||||
| For more information, see {ref}/security-privileges.html[Security privileges]. | ||||||
| + | ||||||
| [role="screenshot"] | ||||||
| image::user/security/images/reporting-privileges-example.png["Reporting privileges"] | ||||||
|
|
||||||
| . Add space privileges. | ||||||
| + | ||||||
| Reporting users typically save searches, create | ||||||
| visualizations, and build dashboards. They require a space | ||||||
| that provides read and write privileges in | ||||||
| *Discover*, *Visualize*, and *Dashboard*. | ||||||
|
|
||||||
| . Save your new role. | ||||||
|
|
||||||
| . Create a user account with the proper roles. | ||||||
| + | ||||||
| Go to *Management > Users*, add a new user, and assign the user the built-in | ||||||
| `reporting_user` role and your new custom role, `custom_reporting_user`. | ||||||
|
|
||||||
| This example uses the `user` API to create a user who has the | ||||||
|
There was a problem hiding this comment. This section on creating a native realm user with the API seems like it should have a header. Can the above link with the Perhaps the outward-directing link that goes to |
||||||
| `reporting_user` role and the `kibana_user` role: | ||||||
|
|
||||||
| [source, sh] | ||||||
| --------------------------------------------------------------- | ||||||
| POST /_security/user/reporter | ||||||
|
|
@@ -32,13 +69,15 @@ POST /_security/user/reporter | |||||
| } | ||||||
| --------------------------------------------------------------- | ||||||
|
|
||||||
| ==== If you are using an LDAP or Active Directory realm | ||||||
|
There was a problem hiding this comment. I'm guessing when this was originally written, that Kibana only supported LDAP and Active Directory outside of the built-in What do you think about something like:
Suggested change
|
||||||
|
|
||||||
| You can either assign | ||||||
| roles on a per user basis, or assign roles to groups of users. By default, role | ||||||
| mappings are configured in | ||||||
| {ref}/mapping-roles.html[`config/shield/role_mapping.yml`]. | ||||||
|
There was a problem hiding this comment. Note to future me and future you: #52559 is introducing a UI to manage role mappings, so when the time comes, we can link there instead of promoting the file-based role mapping mechanism. |
||||||
| For example, the following snippet assigns the user named Bill Murray the | ||||||
| `kibana_user` and `reporting_user` roles: | ||||||
|
|
||||||
| [source,yaml] | ||||||
| -------------------------------------------------------------------------------- | ||||||
| kibana_user: | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we link to the ES User API docs here?
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-put-user.html