403 Forbidden error on /api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

• OpenSearch: 2.16.0
• Dashboard: 2.16.0
• Server OS: Ubuntu 22.04
• Browser: Chrome 127.0.6533.88

Describe the issue:
The Discover page is blank in OpenSearch Dashboards with a 403 Forbidden error on /api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern with the following message:

no permissions for [indices:data/read/search] and User [name=test, backend_roles=[], requestedTenant=null]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User [name=test, backend_roles=[], requestedTenant=null]

The Discover page should show the data.

Configuration:
Follow all the steps of the following Example: Defining users and roles - OpenSearch Documentation

Even after adding indices:data/read/search + indices:data/read/search* + indices:data/read/search/template in both Cluster and Index permissions, the error occurs.

Hi @sebtheone,

Could you please share the output of:

curl --insecure -u test:<password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

Thnaks,
mj

Thanks for helping. I didn’t see your message before.

Here’s the output:

{
  "user" : "User [name=test, backend_roles=[], requestedTenant=null]",
  "user_name" : "test",
  "user_requested_tenant" : null,
  "remote_address" : "192.168.55.1:35006",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "bulk_access"
  ],
  "tenants" : {
    "test" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@sebtheone, could you share the output of the below as well:

curl --insecure -u admin:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/roles/bulk_access

thanks,
mj

Here’s the output:

{
  "bulk_access" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops",
      "test"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "test-kubernetes*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "write",
          "test"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

Note that test is a permission group with these permissions: indices:data/read/search + indices:data/read/search* + indices:data/read/search/template

Thanks again.

I do believe the permission needed (for saved_objects) is for .kibana*.

Can you add your test user to kibana_user role as well?

best,
mj

Same problem after adding the kibana_user role to my test user.

Output of /_plugins/_security/authinfo?pretty:

{
  "user" : "User [name=test, backend_roles=[], requestedTenant=null]",
  "user_name" : "test",
  "user_requested_tenant" : null,
  "remote_address" : "192.168.55.1:47272",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "bulk_access",
    "kibana_user"
  ],
  "tenants" : {
    "test" : true,
    "global_tenant" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@sebtheone, just to test could you add “*” to the index_patterns and the permission as per error? (similar to the below):

best,
mj

Now I have this error in the Discover page:

Error fetching index pattern: Could not locate that index-pattern (id: test-kubernetes-logs), [click here to re-create it](management/opensearch-dashboards/indexPatterns)

The index pattern exists. There’s no error and the data is shown when I log in with the admin user.

@sebtheone, could you run the below with the user that gets an error and share:

GET _cat/indices/test-kubernetes-logs*

thanks,
mj

Here’s the output:
yellow open test-kubernetes-logs-2024.10.22 M24gYX9NQY2UIt1pyB6yDA 1 1 14817 0 5.6mb 5.6mb

For that to work, I had to add cluster permissions cluster:monitor/state + cluster:monitor/health and index permissions indices:monitor/settings/get + indices:monitor/stats.

@sebtheone, now, that you have added this additional permission, do you still get an error in the “Discover”?

best,
mj

Yes, same error about the index pattern.

Thanks a lot for your help.

It looks like the index pattern itself might be corrupted, have you tried to recreate it as suggested in the error?

Yes, but the error persists with my test user. With my admin user, everything is working fine. My admin user has the all_access role, which of course I don’t want to give to my test user. I want my test user to only be able to browse the data of test-kubernetes* indices.

@sebtheone, I noticed an opened issue[BUG] (I assume you cut it?) in GitHub (link below).
I think that is a good place to take this conversation to, as there seem to be similar reports in the forum - such as here.

Could you please let me know if you have any luck “breaking this nut”, I’ll run some tests in my lab and get back to you here if any progress.

Best,
mj

[BUG] 403 Forbidden error on /api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern · Issue #4720 · opensearch-project/security · GitHub

Yes I created the GitHub issue you’re mentioning. When I have the solution, I will for sure share it there as well as here.

My objective is simply this: give access to some users to read-only browse the data of indices under specific index patterns, though a UI (it could be something else then the Discover feature of OpenSearch Dashboards, but that’s what I know about).

It feels like the permissions were not designed to work in conjunction with OpenSearch Dashboards, which is odd to me. I’m not sure what to test now, but I’m not giving up.

Thanks again for your help.