RBAC Audit Logging

[kobelb]

We're historically deferred to Elasticsearch's audit log to audit events that Kibana executes on behalf of users. This has worked because we've made requests using the end-user's credentials to Elasticsearch so the events show up with the principal of the authenticated user. With the implementation of RBAC, this is no longer the case, and certain requests for end-users are made with the Kibana internal server user (after authorizing the users). We should log our own audit events in these scenarios, since we can't defer to Elasticsearch's audit log for these.

[jinmu03]

@AlonaNadler

[AlonaNadler]

@kobelb adding context for the reason users asked for audit log in the past, please keep in mind when working on logs for these scenarios
Few of the use cases that were requested in the past:

• Which users accessed/edit which object
• How many users use specific dashboards
• How many dashboards a specific user is opening
• How many users logged in Kibana in a specific time range
• Views per day
• Unique views per day
• By user views, data table, including first name, last name and e-mail
• Pie chart for the percentage of usage per user (i.e, identify most active users by page load)

cc: @joshbressers

[kobelb]

Just to be clear, we're specifically targeting this issue at ensuring we have audit logging for the deficiencies that RBAC introduces, it's not our objective to resolve all asks around unified audit logging in Kibana. The larger effort is being tracked here

[AlonaNadler]

I understand, most of the requests for audit logs are around who view/edit an object and the audit logs here are done because of the RBAC, I figured it made sense to explicitly call it here so you will have it in mind, if you think it's not the right place I can delete it

[legrego]

@kobelb can this be closed?

[kobelb]

Yup, thanks @legrego