Hello,
I have enable anonymous access and that seems to be working OK, but we would like to have access to to the Global tenant as well.
Have added this to roles_mapping.yml, but that doesn’t seem to have helped.
kibana_user:
reserved: false
users:
- "anonymous_users_role"
How can we give Global tenant permission for the anonymous_users_role?
Cheers,
Eddie.
Hi @big-edd,
In the list of users, you need to add a username, not a role name. Please change anonymous_users_role to anonymous.
Thanks @Eugene7
Changing to “anonymous” broke it some more;
[2024-07-30T01:20:15,210][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [opensearch] Tenant global_tenant is not allowed for user opendistro_security_anonymous
So I changed it back to “anonymous_users_role” again.
I cannot help thinking that somewhere in the below configs, anonymous: instead of anonymous_users_role: would be more appropriate and clearer, but that is how it is shown in the official documentation. And given how much messing about it has taken to get this working, I do not want to do any more unnecessary experimentation at the moment. So unless someone can tell me where that change should happen, I will leave it like this for now and continue cringing.
A bit more scratching through logs and search results: Seems to be working OK now with the below.
roles_mapping.yml updated to;
.. .. [SNIP] .. ..
kibana_user:
reserved: false
users:
- "anonymous_users_role"
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
.. .. [SNIP] .. ..
anonymous_users_role:
reserved: false
hidden: false
backend_roles:
- "anonymous_users_role"
- "opendistro_security_anonymous_backendrole"
description: "Anonymous read only access"
roles_mapping.yml entry looks like this;
## Added for anonymous read only access.
anonymous_users_role:
reserved: false
hidden: false
cluster_permissions:
- 'OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS'
- 'cluster:admin/opensearch/ql/datasources/read'
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- 'indices:monitor/settings/get'
- 'indices:admin/mappings/get'
- 'indices:admin/shards/search_shards'
- 'indices:admin/template/get'
- 'indices:admin/resolve/index'
- 'indices:data/read/search'
- 'indices:data/read/get'
- 'indices:data/read/mget'
- 'indices:data/read/mget*'
tenant_permissions:
- tenant_patterns:
- 'global_tenant'
allowed_actions:
- 'kibana_all_read'
Cheers,
Eddie.
Hi @big-edd ,
Could you please share your config.yml and opensearch_dashboards.yml files?
opensearch_dashboards.yml
opensearch.hosts: [https://opensearch:9200]
opensearch.ssl.verificationMode: none
opensearch.username: admin
opensearch.password: Bogus_Password
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: false
#opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.multitenancy.tenants.preferred: [Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Use this setting if you are running opensearch-dashboards without https
opensearch_security.cookie.secure: false
server.host: '0.0.0.0'
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.anonymous_auth_enabled: true
#opensearch_security.auth.type: ["basicauth","openid"]
config.yml
_meta:
type: "config"
config_version: 2
config:
dynamic:
# Kibana multitenancy
multitenancy_enabled: false
private_tenant_enabled: false
default_tenant: Global
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
jwt_clock_skew_tolerance_seconds: 30
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: disabled
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'
# Skip users matching a user name, a wildcard or a regex pattern
#skip_users:
# - 'cn=Michael Jackson,ou*people,o=TEST'
# - '/\S*/'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
#config goes here ...
Hi @big-edd ,
The setting opensearch_security.multitenancy.enabled enables or disables multi-tenancy in OpenSearch Dashboards. In your opensearch_dashboards.yml file, the current value is set to opensearch_security.multitenancy.enabled: false. Please change this value to true.
Hello @Eugene7,
Thanks for the tip, but we do not require multitenancy, so that is why it is disabled.
Cheers,
Eddie.