Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.15.0
Describe the issue:
I want to use Dashboards UI to manage Security plugin users, roles, mappings etc. This should be possible according to documentation, but for the life of me I cannot get the Security tab to appear under plugins in OpenSearch Dashboards.
I am running mostly demo/default config Security plugin. I only changed the demo certificates and passwords and added a few users, the rest is unchanged.
I searched this forum for solutions and found in other similar topics that for REST API access to work you need to set plugins.security.restapi.roles_enabled: [ “all_access” ] in opensearch.yml on all nodes, which I did. After a rolling restart and executing securityadmin.sh script I am still unable to view Security tab in Dashboards.
This is possibly a configuration error I am failing to notice. If someone could take a look I would much appreciate it.
Configuration:
OpenSearch cluster is 7 nodes with dedicated stand-alone Dashboards server. In cluster there are 3 manager nodes and 4 data nodes. All nodes are running on Debian 12, OpenSearch installed from APT.
master node config:
opensearch.yml
cluster.name: os
node.name: os-master-01
node.roles: [ cluster_manager ]
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: [ "master2_ip", "master3_ip", "data1_ip", "data2_ip", "data3_ip", "data4_ip" ]
cluster.initial_cluster_manager_nodes: [ "os-master-01" ]
bootstrap.memory_lock: true
path.repo: [ "/mnt/os_snapshot_repo" ]
# This setting changed from OS 1 to 2, old default was 4096, new default 1024 causes problems with Graylog search
indices.query.bool.max_clause_count: 4096
# Set this to true to disable Security plugin. Also comment out all Security Plugin related lines.
plugins.security.disabled: false
plugins.security.restapi.roles_enabled: [ “all_access”, “security_rest_api_access” ]
plugins.security.ssl.transport.pemcert_filepath: "os-master-01.pem"
plugins.security.ssl.transport.pemkey_filepath: "os-master-01-key.pem"
plugins.security.ssl.transport.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: "os-master-01.pem"
plugins.security.ssl.http.pemkey_filepath: "os-master-01-key.pem"
plugins.security.ssl.http.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.nodes_dn:
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
plugins.security.authcz.admin_dn:
- "redacted"
The config on other 2 master nodes is identical.
internal_users.yml
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh
_meta:
type: "internalusers"
config_version: 2
# Define your internal users here
admin:
hash: "redacted"
reserved: true
backend_roles:
- "admin"
description: "Default admin user"
graylog:
hash: "redacted"
reserved: false
backend_roles:
- "admin"
description: "Graylog admin user"
zbx_mon:
hash: "redacted"
reserved: false
backend_roles:
- "admin"
description: "Zabbix monitoring user"
kibanaserver:
hash: "redacted"
reserved: true
description: "User for OpenSearch Dashboards server"
roles_mapping.yml
---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml
_meta:
type: "rolesmapping"
config_version: 2
# Define your roles mapping here
## Demo roles mapping
all_access:
reserved: false
backend_roles:
- "admin"
description: "Maps admin to all_access"
own_index:
reserved: false
users:
- "*"
description: "Allow full access to an index named like the username"
logstash:
reserved: false
backend_roles:
- "logstash"
kibana_user:
reserved: false
backend_roles:
- "kibanauser"
description: "Maps kibanauser to kibana_user"
readall:
reserved: false
backend_roles:
- "readall"
manage_snapshots:
reserved: false
backend_roles:
- "snapshotrestore"
kibana_server:
reserved: true
users:
- "kibanaserver"
In roles.yml I changed nothing
roles.yml
_meta:
type: "roles"
config_version: 2
# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
kibana_read_only:
reserved: true
# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
reserved: true
security_rest_api_full_access:
reserved: true
cluster_permissions:
- 'restapi:admin/actiongroups'
- 'restapi:admin/allowlist'
- 'restapi:admin/config/update'
- 'restapi:admin/internalusers'
- 'restapi:admin/nodesdn'
- 'restapi:admin/roles'
- 'restapi:admin/rolesmapping'
- 'restapi:admin/ssl/certs/info'
- 'restapi:admin/ssl/certs/reload'
- 'restapi:admin/tenants'
# Allows users to view monitors, destinations and alerts
alerting_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/get'
- 'cluster:admin/opendistro/alerting/destination/get'
- 'cluster:admin/opendistro/alerting/monitor/get'
- 'cluster:admin/opendistro/alerting/monitor/search'
- 'cluster:admin/opensearch/alerting/findings/get'
- 'cluster:admin/opensearch/alerting/remote/indexes/get'
- 'cluster:admin/opensearch/alerting/workflow/get'
- 'cluster:admin/opensearch/alerting/workflow_alerts/get'
# Allows users to view and acknowledge alerts
alerting_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/alerting/alerts/*'
- 'cluster:admin/opendistro/alerting/chained_alerts/*'
- 'cluster:admin/opendistro/alerting/workflow_alerts/*'
# Allows users to use all alerting functionality
alerting_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/alerting/*'
- 'cluster:admin/opensearch/alerting/*'
- 'cluster:admin/opensearch/notifications/feature/publish'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/ad/detector/info'
- 'cluster:admin/opendistro/ad/detector/search'
- 'cluster:admin/opendistro/ad/detectors/get'
- 'cluster:admin/opendistro/ad/result/search'
- 'cluster:admin/opendistro/ad/tasks/search'
- 'cluster:admin/opendistro/ad/detector/validate'
- 'cluster:admin/opendistro/ad/result/topAnomalies'
# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opendistro/ad/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
# Allow users to execute read only k-NN actions
knn_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_stats_action'
# Allow users to use all k-NN functionality
knn_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/knn_training_model_action'
- 'cluster:admin/knn_training_job_router_action'
- 'cluster:admin/knn_training_job_route_decision_info_action'
- 'cluster:admin/knn_warmup_action'
- 'cluster:admin/knn_delete_model_action'
- 'cluster:admin/knn_remove_model_from_cache_action'
- 'cluster:admin/knn_update_model_graveyard_action'
- 'cluster:admin/knn_search_model_action'
- 'cluster:admin/knn_get_model_action'
- 'cluster:admin/knn_stats_action'
# Allow users to execute read only ip2geo datasource action
ip2geo_datasource_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/geospatial/datasource/get'
# Allow users to use all ip2geo datasource action
ip2geo_datasource_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/geospatial/datasource/*'
# Allows users to read Notebooks
notebooks_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/list'
- 'cluster:admin/opendistro/notebooks/get'
# Allows users to all Notebooks functionality
notebooks_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/notebooks/create'
- 'cluster:admin/opendistro/notebooks/update'
- 'cluster:admin/opendistro/notebooks/delete'
- 'cluster:admin/opendistro/notebooks/get'
- 'cluster:admin/opendistro/notebooks/list'
# Allows users to read observability objects
observability_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/observability/get'
# Allows users to all Observability functionality
observability_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/observability/create'
- 'cluster:admin/opensearch/observability/update'
- 'cluster:admin/opensearch/observability/delete'
- 'cluster:admin/opensearch/observability/get'
# Allows users to all PPL functionality
ppl_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ppl'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/mappings/get'
- 'indices:data/read/search*'
- 'indices:monitor/settings/get'
# Allows users to read and download Reports
reports_instances_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to read and download Reports and Report-definitions
reports_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to all Reports functionality
reports_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/reports/definition/create'
- 'cluster:admin/opendistro/reports/definition/update'
- 'cluster:admin/opendistro/reports/definition/on_demand'
- 'cluster:admin/opendistro/reports/definition/delete'
- 'cluster:admin/opendistro/reports/definition/get'
- 'cluster:admin/opendistro/reports/definition/list'
- 'cluster:admin/opendistro/reports/instance/list'
- 'cluster:admin/opendistro/reports/instance/get'
- 'cluster:admin/opendistro/reports/menu/download'
# Allows users to use all asynchronous-search functionality
asynchronous_search_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:data/read/search*'
# Allows users to read stored asynchronous-search results
asynchronous_search_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opendistro/asynchronous_search/get'
# Allows user to use all index_management actions - ism policies, rollups, transforms
index_management_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/opendistro/ism/*"
- "cluster:admin/opendistro/rollup/*"
- "cluster:admin/opendistro/transform/*"
- "cluster:admin/opensearch/controlcenter/lron/*"
- "cluster:admin/opensearch/notifications/channels/get"
- "cluster:admin/opensearch/notifications/feature/publish"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/opensearch/ism/*'
# Allows users to use all cross cluster replication functionality at leader cluster
cross_cluster_replication_leader_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/read/plugins/replication/changes"
- "indices:data/read/plugins/replication/file_chunk"
# Allows users to use all cross cluster replication functionality at follower cluster
cross_cluster_replication_follower_full_access:
reserved: true
cluster_permissions:
- "cluster:admin/plugins/replication/autofollow/update"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- "indices:admin/plugins/replication/index/setup/validate"
- "indices:data/write/plugins/replication/changes"
- "indices:admin/plugins/replication/index/start"
- "indices:admin/plugins/replication/index/pause"
- "indices:admin/plugins/replication/index/resume"
- "indices:admin/plugins/replication/index/stop"
- "indices:admin/plugins/replication/index/update"
- "indices:admin/plugins/replication/index/status_check"
# Allows users to use all cross cluster search functionality at remote cluster
cross_cluster_search_remote_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/shards/search_shards'
- 'indices:data/read/search'
# Allow users to operate query assistant
ml_query_assistant_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ml/execute'
- 'cluster:admin/opensearch/ml/memory/conversation/create'
- 'cluster:admin/opensearch/ml/memory/interaction/create'
- 'cluster:admin/opensearch/ml/predict'
# Allow users to read ML stats/models/tasks
ml_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/ml/stats/nodes'
- 'cluster:admin/opensearch/ml/model_groups/search'
- 'cluster:admin/opensearch/ml/models/get'
- 'cluster:admin/opensearch/ml/models/search'
- 'cluster:admin/opensearch/ml/tasks/get'
- 'cluster:admin/opensearch/ml/tasks/search'
# Allows users to use all ML functionality
ml_full_access:
reserved: true
cluster_permissions:
- 'cluster_monitor'
- 'cluster:admin/opensearch/ml/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices_monitor'
# Allows users to use all Notifications functionality
notifications_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/notifications/*'
# Allows users to read Notifications config/channels
notifications_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/notifications/configs/get'
- 'cluster:admin/opensearch/notifications/features'
- 'cluster:admin/opensearch/notifications/channels/get'
# Allows users to use all snapshot management functionality
snapshot_management_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/snapshot_management/*'
- 'cluster:admin/opensearch/notifications/feature/publish'
- 'cluster:admin/repository/*'
- 'cluster:admin/snapshot/*'
# Allows users to see snapshots, repositories, and snapshot management policies
snapshot_management_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/snapshot_management/policy/get'
- 'cluster:admin/opensearch/snapshot_management/policy/search'
- 'cluster:admin/opensearch/snapshot_management/policy/explain'
- 'cluster:admin/repository/get'
- 'cluster:admin/snapshot/get'
# Allows user to use point in time functionality
point_in_time_full_access:
reserved: true
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'manage_point_in_time'
# Allows users to see security analytics detectors and others
security_analytics_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/get'
- 'cluster:admin/opensearch/securityanalytics/correlations/findings'
- 'cluster:admin/opensearch/securityanalytics/correlations/list'
- 'cluster:admin/opensearch/securityanalytics/detector/get'
- 'cluster:admin/opensearch/securityanalytics/detector/search'
- 'cluster:admin/opensearch/securityanalytics/findings/get'
- 'cluster:admin/opensearch/securityanalytics/logtype/search'
- 'cluster:admin/opensearch/securityanalytics/mapping/get'
- 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
- 'cluster:admin/opensearch/securityanalytics/rule/get'
- 'cluster:admin/opensearch/securityanalytics/rule/search'
# Allows users to use all security analytics functionality
security_analytics_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/*'
- 'cluster:admin/opensearch/securityanalytics/correlations/*'
- 'cluster:admin/opensearch/securityanalytics/detector/*'
- 'cluster:admin/opensearch/securityanalytics/findings/*'
- 'cluster:admin/opensearch/securityanalytics/logtype/*'
- 'cluster:admin/opensearch/securityanalytics/mapping/*'
- 'cluster:admin/opensearch/securityanalytics/rule/*'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/mapping/put'
- 'indices:admin/mappings/get'
# Allows users to view and acknowledge alerts
security_analytics_ack_alerts:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/securityanalytics/alerts/*'
# Allows users to use all Flow Framework functionality
flow_framework_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/flow_framework/*'
- 'cluster_monitor'
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'indices:admin/aliases/get'
- 'indices:admin/mappings/get'
- 'indices_monitor'
# Allow users to read flow framework's workflows and their state
flow_framework_read_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/flow_framework/workflow/get'
- 'cluster:admin/opensearch/flow_framework/workflow/search'
- 'cluster:admin/opensearch/flow_framework/workflow_state/get'
- 'cluster:admin/opensearch/flow_framework/workflow_state/search'
- 'cluster:admin/opensearch/flow_framework/workflow_step/get'
# Allows users to use all query insights APIs
query_insights_full_access:
reserved: true
cluster_permissions:
- 'cluster:admin/opensearch/insights/top_queries/*'
index_permissions:
- index_patterns:
- 'top_queries_by_*'
allowed_actions:
- "indices_all"
Data1 node config
opensearch.yml
cluster.name: os
node.name: os-data-01
node.roles: [ data ]
path.data: /data
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: [ "master1_ip", "master2_ip", "master3_ip", "data2_ip", "data3_ip", "data4_ip" ]
cluster.initial_cluster_manager_nodes: [ "os-master-01" ]
bootstrap.memory_lock: true
path.repo: [ "/mnt/os_snapshot_repo" ]
# This setting changed from OS 1 to 2, old default was 4096, new default 1024 causes problems with Graylog search
indices.query.bool.max_clause_count: 4096
# Set this to true to disable Security plugin. Also comment out all Security Plugin related lines.
plugins.security.disabled: false
plugins.security.restapi.roles_enabled: [ “all_access”, “security_rest_api_access” ]
plugins.security.ssl.transport.pemcert_filepath: "os-data-01.pem"
plugins.security.ssl.transport.pemkey_filepath: "os-data-01-key.pem"
plugins.security.ssl.transport.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: "os-data-01.pem"
plugins.security.ssl.http.pemkey_filepath: "os-data-01-key.pem"
plugins.security.ssl.http.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.nodes_dn:
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
- "redacted"
plugins.security.authcz.admin_dn:
- "redacted"
The config on other 3 data nodes is identical.
Dashboards server
opensearch_dashboards.yml
# Dashboards server conf
server.host: 0.0.0.0
server.port: 5601
server.name: redacted
opensearch.hosts: [ master1_ip,master2_ip,master3_ip]
logging.dest: "/var/log/opensearch-dashboards/opensearch-dashboards.log"
logging.verbose: true
# Security config
opensearch_security.enabled: true
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","saml"]
opensearch.username: kibanaserver
opensearch.password: redacted
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
# Change sign-in button appearance
#opensearch_security.ui.saml.login.buttonname: "Log on with SAML"
#opensearch_security.ui.saml.login.brandimage
#opensearch_security.ui.saml.login.showbrandimage
# End user <--> Dashboards web server TLS
server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/os-dashboards-01.pem
server.ssl.key: /etc/opensearch-dashboards/os-dashboards-01-key.pem
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'
opensearch.ssl.verificationMode: full
# Set this setting false if you are running Dashboards without HTTPS
opensearch_security.cookie.secure: true
Relevant Logs or Screenshots:
Found nothing relevant in logs. I am using admin user to log into Dashboards, the roles and identities for this user in Dashboards: