Introduce kibana_system user, deprecate kibana user
#25879
Comments
kobelb
added
Team:Operations
|
Pinging @elastic/kibana-security |
|
Pinging @elastic/kibana-operations |
|
@clintongormley you're good at naming, and have good visibility into what the other teams are doing; does this proposed rename make sense to you or do you have an alternate suggestion? |
|
Do you want to include changing the |
|
@tylersmalley I'm tracking that in a separate issue here: #25722 |
|
makes sense to me. btw, this has been an open request in ES for well over a year now :) elastic/elasticsearch#29808 |
|
My only concern is we already have a built in role called Kibana_system, now we are going to have a built-user called Kibana_system also. Will it cause more confusion? |
I don't think it'd be too confusing. Having groups named after specific users is a pattern that's pretty common in *nix environments |
|
We were initially hoping to tackle this during the 7.0 upgrade process, but we determined it's effect on the end-user was going to be too great, so I've updated the description to specify the new deprecation plan. |
kobelb
changed the title
kibana user to kibana_system userkibana_system user, deprecate kibana user
|
/cc @AlonaNadler |
|
calling any account or role by the name To add to the confusion there is a Continuing a confusing naming pattern just "to be consistent" is like pulling a log from a fire bare-handed, just because some of the others did it too. And its just one more potential roadblock to adoption. |
This is exactly how I think about the
Yep, the
This doesn't seem accurate, sorry if you were misled.
I hope I helped to clarify things -- let me know if you have more questions, or if I misunderstood your point in any way. |
|
If that's the intent for kibana_system, then it shouldn't be in the list of choices for accounts that will be logging into kibana. ES.co support did suggest creating a custom role before closing the support request, but I'm not terribly interested in getting into any kind of weeds with ES and this role grant is for a short term contractor helping us out. The problem with kibana_user is that it doesn't actually do what the docs say. I assigned it to that contractor' newly created user account recently and a few things didn't work, most notably queries in dev tools (report auth errors.) |
I completely agree! We are actively working on improving this experience here: #18270
Custom roles are indeed the way to go here, as you can take advantage of the feature toggles introduced in 7.2: https://www.elastic.co/blog/introducing-kibana-feature-controls-curating-and-securing-feature-access, and assign additional index/cluster privileges as necessary.
The |
This sounds like there is an admin tool for es other than kibana where I would manage cluster permissions. EDIT: perhaps this point was a bit too subtle. I dont think there are any other admin tools, so I would not be expecting that granting permissions in kibana is in any way separate from granting permission to the cluster, or that even if it were, then I would expect the grant in kibana to include any necessary cluster permissions. I have no history with this program set until encountering it earlier this year, so I have no historical context of these being separate and distinct and growing together or whatever happened to come to the current, and I dont really want to have that information context because it isn't useful. The tool I use today is what should be consistent. |
|
I see this is closed, but thought I'd leave my 2 cents about. Every time I run |
@joaociocca yes this will change as well. We introduced corresponding changes to the password setup utility in elastic/elasticsearch#54967 for version
|
|
At the beginnen of this page in the guide it still says "kibana", while later on it says "kibana_system". |
@flo-ryan thanks for letting us know! I opened elastic/elasticsearch#58422 to track this. |
The
kibanauser is named awkwardly and there are quite a few users who confuse this with a user that they can login to Kibana with, which is not the case.We'd like to deprecate the
kibanauser and have users begin using a newkibana_systemuser during 7.x lifecycle, and then remove thekibanauser entirely in 8.0. This will put us inline with the "logstash_system", "beats_system", and "apm_system" users:We'll need to figure out the best approach to issuing the deprecation warnings, and displaying this via the Kibana user management UI.
The text was updated successfully, but these errors were encountered: