Defining X-Pack users
Using the X-Pack Security plugin and its RBAC features, we can define user roles to determine who can use the app or see specific index patterns. Below you'll find a summary table of what we need to configure for the app to work properly. The following sections describe briefly what each role can do.
User |
Roles |
|---|---|
Kibana system user |
wazuh-admin, kibana_system |
Wazuh administrator user |
wazuh-basic, wazuh-api-admin |
Wazuh standard user #1, Wazuh standard user #2... |
wazuh-basic |
Kibana system user
This user is based on the pre-built role named kibana_system, but it must be able to fetch and write data to Wazuh indices too.
To do so, we'll define another role called wazuh-admin to handle data related to Wazuh.
Defining the
wazuh-adminrole:At cluster level, it will need the following privileges:
Cluster privileges
Check
manage
Yes
manage_index_templates
Yes
At index level, it will need the following privileges:
Indices
Privileges
.old-wazuh
all
.wazuh
all
.wazuh-version
all
wazuh-*
all
Wazuh administrator user
This user will be able to login into Kibana UI, navigate through the Wazuh app and also add/delete Wazuh API entries.
Note
This user will use two roles: wazuh-basic and wazuh-api-admin. The wazuh-basic role will be used to handle data related to Wazuh and the wazuh-api-admin role will be used to add/delete Wazuh API entries.
Defining the
wazuh-basicrole:At cluster level, it won't need any privileges. At index level, it will need the following privileges:
Indices
Privileges
.kibana
read
.wazuh
read
.wazuh-version
read
wazuh-alerts-3.x-*
read
wazuh-monitoring-3.x-*
read
Defining the
wazuh-api-adminrole:At cluster level, it won't need any privileges. At index level, it will need the following privileges:
Indices
Privileges
.wazuh
all
Wazuh standard user
We need one or more users who will be able to login into Kibana UI with read only privileges. This user only needs to use the wazuh-basic role.