Allow readonly user to save a search

_uj · August 10, 2023, 12:15pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.9.0

Describe the issue:
I would like to let a user save a search to share, without being able to modify the patterns and visualization of a specific tenant.
I see that the permission kibana_all_write is a short hand for kibana:saved_objects/*/write, so my question is if it is possible to have fine grained permissions for kibana (osd) objects, e.g. kibana:saved_objects/searches/write.
Unfortunately, I cannot find details about this subject.

Configuration:
current guest role for the global space

{
  "cluster_permissions": [
    "cluster_composite_ops_ro",
    "cluster:admin/opendistro/reports/definition/get",
    "cluster:admin/opendistro/reports/definition/list",
    "cluster:admin/opendistro/reports/instance/list",
    "cluster:admin/opendistro/reports/instance/get",
    "cluster:admin/opendistro/reports/menu/download",
    "cluster:admin/opendistro/reports/definition/create"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "search",
        "indices_monitor"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_read"
      ]
    }
  ]
}

Gsmitt · August 11, 2023, 12:11am

Hey @_uj

Only documentation about roles & permission that I found was from here.

_uj · August 15, 2023, 3:30pm

I know that page, but it does not help in that case.
Browsing through the security plugin code, I only see references to the broad permission kibana:saved_objects/*/write, hence I am afraid I cannot hack a special permission for a r/o user to let it save a search.

pablo · August 15, 2023, 4:28pm

@_uj According to the documentation, either read-only or read/write permissions can be assigned to all OpenSearch Dashboards objects.

The lack of fine-tuning ability is not a bug but a missing feature.

_uj · August 15, 2023, 4:46pm

Thanks, I guess I will file a feature request on the repo github page, then.

pablo · August 15, 2023, 5:43pm

@_uj Once you create the feature request, please share the link here.

_uj · September 11, 2023, 9:11am

https://github.com/opensearch-project/security/issues/3346

Topic		Replies	Views
Save query in read-only tenant OpenSearch Dashboards	1	296	August 28, 2023
Users unable to save queries Security troubleshoot	7	1624	March 30, 2022
Kibana_all_read + savedObject export permission? Security	4	1084	May 18, 2021
Non admin users are unable to access indexed data from Kibana Discovery Security	1	442	May 24, 2021
Access rights to management page Security	8	348	November 16, 2021

Allow readonly user to save a search

Related Topics