Thanks @Eugene7
Changing to “anonymous” broke it some more;
[2024-07-30T01:20:15,210][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [opensearch] Tenant global_tenant is not allowed for user opendistro_security_anonymous
So I changed it back to “anonymous_users_role” again.
I cannot help thinking that somewhere in the below configs, anonymous: instead of anonymous_users_role: would be more appropriate and clearer, but that is how it is shown in the official documentation. And given how much messing about it has taken to get this working, I do not want to do any more unnecessary experimentation at the moment. So unless someone can tell me where that change should happen, I will leave it like this for now and continue cringing.
A bit more scratching through logs and search results: Seems to be working OK now with the below.
roles_mapping.yml updated to;
.. .. [SNIP] .. ..
kibana_user:
reserved: false
users:
- "anonymous_users_role"
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
.. .. [SNIP] .. ..
anonymous_users_role:
reserved: false
hidden: false
backend_roles:
- "anonymous_users_role"
- "opendistro_security_anonymous_backendrole"
description: "Anonymous read only access"
roles_mapping.yml entry looks like this;
## Added for anonymous read only access.
anonymous_users_role:
reserved: false
hidden: false
cluster_permissions:
- 'OPENDISTRO_SECURITY_CLUSTER_COMPOSITE_OPS'
- 'cluster:admin/opensearch/ql/datasources/read'
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- 'indices:monitor/settings/get'
- 'indices:admin/mappings/get'
- 'indices:admin/shards/search_shards'
- 'indices:admin/template/get'
- 'indices:admin/resolve/index'
- 'indices:data/read/search'
- 'indices:data/read/get'
- 'indices:data/read/mget'
- 'indices:data/read/mget*'
tenant_permissions:
- tenant_patterns:
- 'global_tenant'
allowed_actions:
- 'kibana_all_read'
Cheers,
Eddie.