OK, I finally managed to get this to work.
The “dashboard” user which you called was actually being passed from my mTLS set-up between dashboard server and opensearch.
I’ve then went ahead and followed the default roles (the github link: security/static_roles.yml at ae6ac7268d2733e8e38626b55f10447a8c1c6876 · opensearch-project/security · GitHub showed me the roles that pre-existed)
I only, for some reason, needed to add the ability to load the global_tenant via this dashboard user and map the kibana_server to it and Bob’s your uncle.
role_mappings.yml
_meta:
type: "rolesmapping"
config_version: 2
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "dashboard"
dashboard_role:
reserved: true
users:
- "dashboard"
roles.yaml (excerpt but the static roles with this one are really just it)
_meta:
type: "roles"
config_version: 2
dashboard_role:
reserved: true
tenant_permissions:
- tenant_patterns:
- "*"
allowed_actions:
- "kibana_all_read"
Again, thank you so much for your help, couldn’t for the life of me have figured this one out on my own.
I hope this might come in handy for anyone else working with mTLS + dashboards.