Allow readonly user to save a search

_uj · August 10, 2023, 12:15pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.9.0

Describe the issue:
I would like to let a user save a search to share, without being able to modify the patterns and visualization of a specific tenant.
I see that the permission kibana_all_write is a short hand for kibana:saved_objects/*/write, so my question is if it is possible to have fine grained permissions for kibana (osd) objects, e.g. kibana:saved_objects/searches/write.
Unfortunately, I cannot find details about this subject.

Configuration:
current guest role for the global space

{
  "cluster_permissions": [
    "cluster_composite_ops_ro",
    "cluster:admin/opendistro/reports/definition/get",
    "cluster:admin/opendistro/reports/definition/list",
    "cluster:admin/opendistro/reports/instance/list",
    "cluster:admin/opendistro/reports/instance/get",
    "cluster:admin/opendistro/reports/menu/download",
    "cluster:admin/opendistro/reports/definition/create"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "search",
        "indices_monitor"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_read"
      ]
    }
  ]
}

Gsmitt · August 11, 2023, 12:11am

Hey @_uj

Only documentation about roles & permission that I found was from here.

_uj · August 15, 2023, 3:30pm

I know that page, but it does not help in that case.
Browsing through the security plugin code, I only see references to the broad permission kibana:saved_objects/*/write, hence I am afraid I cannot hack a special permission for a r/o user to let it save a search.

pablo · August 15, 2023, 4:28pm

@_uj According to the documentation, either read-only or read/write permissions can be assigned to all OpenSearch Dashboards objects.

The lack of fine-tuning ability is not a bug but a missing feature.

_uj · August 15, 2023, 4:46pm

Thanks, I guess I will file a feature request on the repo github page, then.

pablo · August 15, 2023, 5:43pm

@_uj Once you create the feature request, please share the link here.

_uj · September 11, 2023, 9:11am

https://github.com/opensearch-project/security/issues/3346

780920 · June 10, 2024, 9:54am

hello @everyone i am creating role in OpenSearch where a user can save a search, create and download the report in readonly access 1. i have succesfully provided the permission to the user to download the report. 2. but he is unable to save a search and download the report.

Topic		Replies	Views
Save query in read-only tenant OpenSearch Dashboards	1	471	August 28, 2023
Read-only users unable to save search in order to download the csv report Security	3	1341	September 6, 2021
Permissions read only not working Security	3	506	April 6, 2023
Users unable to save queries Security troubleshoot	7	2072	March 30, 2022
Permission set for a readonly role OpenSearch Dashboards configure	9	1604	October 30, 2024

Allow readonly user to save a search

Related topics