Tags: SearchGuard, logging
TABLE OF CONTENTS
By default Kublr logging configures full access to cluster logs for users who have Kublr access to the cluster. There are some situations where it may be too permissive.
The following procedure allows disabling access to specific indices or index patterns.
- Create a new role in Keycloak UI; we will use role named ba as an example
- Assign the role ba to the restricted user
- Modify SearchGuard config as follows (the procedure to adjust SearchGuard configuration is described in Kublr documentation)
Add role mapping to roles_mapping.yml file as follows:
sg_ba: backend_roles: - "ba"
Add role definition to roles.yml file as follows:
sg_ba: exclude_index_permissions: - actions: - "*" index_patterns: - "kublr_*_kublr-*" - "kublr_*_kube-system-*"
Now user with the role ba will not see logs from indices (datastreams) corresponding to masks specified above.