Cannot see Security Dashboard tab in Opensearch Dashboards under plugins

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.15.0

Describe the issue:

I want to use Dashboards UI to manage Security plugin users, roles, mappings etc. This should be possible according to documentation, but for the life of me I cannot get the Security tab to appear under plugins in OpenSearch Dashboards.

I am running mostly demo/default config Security plugin. I only changed the demo certificates and passwords and added a few users, the rest is unchanged.

I searched this forum for solutions and found in other similar topics that for REST API access to work you need to set plugins.security.restapi.roles_enabled: [ “all_access” ] in opensearch.yml on all nodes, which I did. After a rolling restart and executing securityadmin.sh script I am still unable to view Security tab in Dashboards.

This is possibly a configuration error I am failing to notice. If someone could take a look I would much appreciate it.

Configuration:

OpenSearch cluster is 7 nodes with dedicated stand-alone Dashboards server. In cluster there are 3 manager nodes and 4 data nodes. All nodes are running on Debian 12, OpenSearch installed from APT.

master node config:

opensearch.yml
cluster.name: os
node.name: os-master-01
node.roles: [ cluster_manager ]
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: [ "master2_ip", "master3_ip", "data1_ip", "data2_ip", "data3_ip", "data4_ip" ]
cluster.initial_cluster_manager_nodes: [ "os-master-01" ]
bootstrap.memory_lock: true
path.repo: [ "/mnt/os_snapshot_repo" ]

# This setting changed from OS 1 to 2, old default was 4096, new default 1024 causes problems with Graylog search
indices.query.bool.max_clause_count: 4096

# Set this to true to disable Security plugin. Also comment out all Security Plugin related lines.
plugins.security.disabled: false
plugins.security.restapi.roles_enabled: [ “all_access”, “security_rest_api_access” ]

plugins.security.ssl.transport.pemcert_filepath: "os-master-01.pem"
plugins.security.ssl.transport.pemkey_filepath: "os-master-01-key.pem"
plugins.security.ssl.transport.pemtrustedcas_filepath: "root-ca.pem"

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: "os-master-01.pem"
plugins.security.ssl.http.pemkey_filepath: "os-master-01-key.pem"
plugins.security.ssl.http.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.nodes_dn:
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
plugins.security.authcz.admin_dn:
  - "redacted"

The config on other 2 master nodes is identical.

internal_users.yml
---
# This is the internal user database
# The hash value is a bcrypt hash and can be generated with plugin/tools/hash.sh

_meta:
  type: "internalusers"
  config_version: 2

# Define your internal users here

admin:
  hash: "redacted"
  reserved: true
  backend_roles:
  - "admin"
  description: "Default admin user"

graylog:
  hash: "redacted"
  reserved: false
  backend_roles:
  - "admin"
  description: "Graylog admin user"

zbx_mon:
  hash: "redacted"
  reserved: false
  backend_roles:
  - "admin"
  description: "Zabbix monitoring user"

kibanaserver:
  hash: "redacted"
  reserved: true
  description: "User for OpenSearch Dashboards server"
roles_mapping.yml
---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml

_meta:
  type: "rolesmapping"
  config_version: 2

# Define your roles mapping here

## Demo roles mapping

all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  backend_roles:
  - "logstash"

kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"
  description: "Maps kibanauser to kibana_user"

readall:
  reserved: false
  backend_roles:
  - "readall"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"

In roles.yml I changed nothing

roles.yml
_meta:
  type: "roles"
  config_version: 2

# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
kibana_read_only:
  reserved: true

# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
  reserved: true

security_rest_api_full_access:
  reserved: true
  cluster_permissions:
    - 'restapi:admin/actiongroups'
    - 'restapi:admin/allowlist'
    - 'restapi:admin/config/update'
    - 'restapi:admin/internalusers'
    - 'restapi:admin/nodesdn'
    - 'restapi:admin/roles'
    - 'restapi:admin/rolesmapping'
    - 'restapi:admin/ssl/certs/info'
    - 'restapi:admin/ssl/certs/reload'
    - 'restapi:admin/tenants'

# Allows users to view monitors, destinations and alerts
alerting_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/alerting/alerts/get'
    - 'cluster:admin/opendistro/alerting/destination/get'
    - 'cluster:admin/opendistro/alerting/monitor/get'
    - 'cluster:admin/opendistro/alerting/monitor/search'
    - 'cluster:admin/opensearch/alerting/findings/get'
    - 'cluster:admin/opensearch/alerting/remote/indexes/get'
    - 'cluster:admin/opensearch/alerting/workflow/get'
    - 'cluster:admin/opensearch/alerting/workflow_alerts/get'

# Allows users to view and acknowledge alerts
alerting_ack_alerts:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/alerting/alerts/*'
    - 'cluster:admin/opendistro/alerting/chained_alerts/*'
    - 'cluster:admin/opendistro/alerting/workflow_alerts/*'

# Allows users to use all alerting functionality
alerting_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster:admin/opendistro/alerting/*'
    - 'cluster:admin/opensearch/alerting/*'
    - 'cluster:admin/opensearch/notifications/feature/publish'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'

# Allow users to read Anomaly Detection detectors and results
anomaly_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/ad/detector/info'
    - 'cluster:admin/opendistro/ad/detector/search'
    - 'cluster:admin/opendistro/ad/detectors/get'
    - 'cluster:admin/opendistro/ad/result/search'
    - 'cluster:admin/opendistro/ad/tasks/search'
    - 'cluster:admin/opendistro/ad/detector/validate'
    - 'cluster:admin/opendistro/ad/result/topAnomalies'

# Allows users to use all Anomaly Detection functionality
anomaly_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster:admin/opendistro/ad/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'

# Allow users to execute read only k-NN actions
knn_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/knn_search_model_action'
    - 'cluster:admin/knn_get_model_action'
    - 'cluster:admin/knn_stats_action'

# Allow users to use all k-NN functionality
knn_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/knn_training_model_action'
    - 'cluster:admin/knn_training_job_router_action'
    - 'cluster:admin/knn_training_job_route_decision_info_action'
    - 'cluster:admin/knn_warmup_action'
    - 'cluster:admin/knn_delete_model_action'
    - 'cluster:admin/knn_remove_model_from_cache_action'
    - 'cluster:admin/knn_update_model_graveyard_action'
    - 'cluster:admin/knn_search_model_action'
    - 'cluster:admin/knn_get_model_action'
    - 'cluster:admin/knn_stats_action'

# Allow users to execute read only ip2geo datasource action
ip2geo_datasource_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/geospatial/datasource/get'

# Allow users to use all ip2geo datasource action
ip2geo_datasource_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/geospatial/datasource/*'

# Allows users to read Notebooks
notebooks_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/notebooks/list'
    - 'cluster:admin/opendistro/notebooks/get'

# Allows users to all Notebooks functionality
notebooks_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/notebooks/create'
    - 'cluster:admin/opendistro/notebooks/update'
    - 'cluster:admin/opendistro/notebooks/delete'
    - 'cluster:admin/opendistro/notebooks/get'
    - 'cluster:admin/opendistro/notebooks/list'

# Allows users to read observability objects
observability_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/observability/get'

# Allows users to all Observability functionality
observability_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/observability/create'
    - 'cluster:admin/opensearch/observability/update'
    - 'cluster:admin/opensearch/observability/delete'
    - 'cluster:admin/opensearch/observability/get'

# Allows users to all PPL functionality
ppl_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ppl'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mappings/get'
        - 'indices:data/read/search*'
        - 'indices:monitor/settings/get'

# Allows users to read and download Reports
reports_instances_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/menu/download'

# Allows users to read and download Reports and Report-definitions
reports_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/definition/get'
    - 'cluster:admin/opendistro/reports/definition/list'
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/menu/download'

# Allows users to all Reports functionality
reports_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/reports/definition/create'
    - 'cluster:admin/opendistro/reports/definition/update'
    - 'cluster:admin/opendistro/reports/definition/on_demand'
    - 'cluster:admin/opendistro/reports/definition/delete'
    - 'cluster:admin/opendistro/reports/definition/get'
    - 'cluster:admin/opendistro/reports/definition/list'
    - 'cluster:admin/opendistro/reports/instance/list'
    - 'cluster:admin/opendistro/reports/instance/get'
    - 'cluster:admin/opendistro/reports/menu/download'

# Allows users to use all asynchronous-search functionality
asynchronous_search_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/asynchronous_search/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:data/read/search*'

# Allows users to read stored asynchronous-search results
asynchronous_search_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opendistro/asynchronous_search/get'

# Allows user to use all index_management actions - ism policies, rollups, transforms
index_management_full_access:
  reserved: true
  cluster_permissions:
    - "cluster:admin/opendistro/ism/*"
    - "cluster:admin/opendistro/rollup/*"
    - "cluster:admin/opendistro/transform/*"
    - "cluster:admin/opensearch/controlcenter/lron/*"
    - "cluster:admin/opensearch/notifications/channels/get"
    - "cluster:admin/opensearch/notifications/feature/publish"
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/opensearch/ism/*'

# Allows users to use all cross cluster replication functionality at leader cluster
cross_cluster_replication_leader_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/read/plugins/replication/changes"
        - "indices:data/read/plugins/replication/file_chunk"

# Allows users to use all cross cluster replication functionality at follower cluster
cross_cluster_replication_follower_full_access:
  reserved: true
  cluster_permissions:
    - "cluster:admin/plugins/replication/autofollow/update"
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - "indices:admin/plugins/replication/index/setup/validate"
        - "indices:data/write/plugins/replication/changes"
        - "indices:admin/plugins/replication/index/start"
        - "indices:admin/plugins/replication/index/pause"
        - "indices:admin/plugins/replication/index/resume"
        - "indices:admin/plugins/replication/index/stop"
        - "indices:admin/plugins/replication/index/update"
        - "indices:admin/plugins/replication/index/status_check"

# Allows users to use all cross cluster search functionality at remote cluster
cross_cluster_search_remote_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/shards/search_shards'
        - 'indices:data/read/search'

# Allow users to operate query assistant
ml_query_assistant_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/execute'
    - 'cluster:admin/opensearch/ml/memory/conversation/create'
    - 'cluster:admin/opensearch/ml/memory/interaction/create'
    - 'cluster:admin/opensearch/ml/predict'

# Allow users to read ML stats/models/tasks
ml_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ml/stats/nodes'
    - 'cluster:admin/opensearch/ml/model_groups/search'
    - 'cluster:admin/opensearch/ml/models/get'
    - 'cluster:admin/opensearch/ml/models/search'
    - 'cluster:admin/opensearch/ml/tasks/get'
    - 'cluster:admin/opensearch/ml/tasks/search'

# Allows users to use all ML functionality
ml_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster:admin/opensearch/ml/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices_monitor'

# Allows users to use all Notifications functionality
notifications_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/notifications/*'

# Allows users to read Notifications config/channels
notifications_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/notifications/configs/get'
    - 'cluster:admin/opensearch/notifications/features'
    - 'cluster:admin/opensearch/notifications/channels/get'

# Allows users to use all snapshot management functionality
snapshot_management_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/snapshot_management/*'
    - 'cluster:admin/opensearch/notifications/feature/publish'
    - 'cluster:admin/repository/*'
    - 'cluster:admin/snapshot/*'

# Allows users to see snapshots, repositories, and snapshot management policies
snapshot_management_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/snapshot_management/policy/get'
    - 'cluster:admin/opensearch/snapshot_management/policy/search'
    - 'cluster:admin/opensearch/snapshot_management/policy/explain'
    - 'cluster:admin/repository/get'
    - 'cluster:admin/snapshot/get'

# Allows user to use point in time functionality
point_in_time_full_access:
  reserved: true
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'manage_point_in_time'

# Allows users to see security analytics detectors and others
security_analytics_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/get'
    - 'cluster:admin/opensearch/securityanalytics/correlations/findings'
    - 'cluster:admin/opensearch/securityanalytics/correlations/list'
    - 'cluster:admin/opensearch/securityanalytics/detector/get'
    - 'cluster:admin/opensearch/securityanalytics/detector/search'
    - 'cluster:admin/opensearch/securityanalytics/findings/get'
    - 'cluster:admin/opensearch/securityanalytics/logtype/search'
    - 'cluster:admin/opensearch/securityanalytics/mapping/get'
    - 'cluster:admin/opensearch/securityanalytics/mapping/view/get'
    - 'cluster:admin/opensearch/securityanalytics/rule/get'
    - 'cluster:admin/opensearch/securityanalytics/rule/search'

# Allows users to use all security analytics functionality
security_analytics_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/*'
    - 'cluster:admin/opensearch/securityanalytics/correlations/*'
    - 'cluster:admin/opensearch/securityanalytics/detector/*'
    - 'cluster:admin/opensearch/securityanalytics/findings/*'
    - 'cluster:admin/opensearch/securityanalytics/logtype/*'
    - 'cluster:admin/opensearch/securityanalytics/mapping/*'
    - 'cluster:admin/opensearch/securityanalytics/rule/*'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mapping/put'
        - 'indices:admin/mappings/get'

# Allows users to view and acknowledge alerts
security_analytics_ack_alerts:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/securityanalytics/alerts/*'

# Allows users to use all Flow Framework functionality
flow_framework_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/flow_framework/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/aliases/get'
        - 'indices:admin/mappings/get'
        - 'indices_monitor'

# Allow users to read flow framework's workflows and their state
flow_framework_read_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/flow_framework/workflow/get'
    - 'cluster:admin/opensearch/flow_framework/workflow/search'
    - 'cluster:admin/opensearch/flow_framework/workflow_state/get'
    - 'cluster:admin/opensearch/flow_framework/workflow_state/search'
    - 'cluster:admin/opensearch/flow_framework/workflow_step/get'

# Allows users to use all query insights APIs
query_insights_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/insights/top_queries/*'
  index_permissions:
    - index_patterns:
        - 'top_queries_by_*'
      allowed_actions:
        - "indices_all"

Data1 node config

opensearch.yml
cluster.name: os
node.name: os-data-01
node.roles: [ data ]
path.data: /data
path.logs: /var/log/opensearch
network.host: 0.0.0.0
discovery.seed_hosts: [ "master1_ip", "master2_ip", "master3_ip", "data2_ip", "data3_ip", "data4_ip" ]
cluster.initial_cluster_manager_nodes: [ "os-master-01" ]
bootstrap.memory_lock: true
path.repo: [ "/mnt/os_snapshot_repo" ]

# This setting changed from OS 1 to 2, old default was 4096, new default 1024 causes problems with Graylog search
indices.query.bool.max_clause_count: 4096

# Set this to true to disable Security plugin. Also comment out all Security Plugin related lines.
plugins.security.disabled: false
plugins.security.restapi.roles_enabled: [ “all_access”, “security_rest_api_access” ]

plugins.security.ssl.transport.pemcert_filepath: "os-data-01.pem"
plugins.security.ssl.transport.pemkey_filepath: "os-data-01-key.pem"
plugins.security.ssl.transport.pemtrustedcas_filepath: "root-ca.pem"

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: "os-data-01.pem"
plugins.security.ssl.http.pemkey_filepath: "os-data-01-key.pem"
plugins.security.ssl.http.pemtrustedcas_filepath: "root-ca.pem"
plugins.security.nodes_dn:
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
  - "redacted"
plugins.security.authcz.admin_dn:
  - "redacted"

The config on other 3 data nodes is identical.

Dashboards server

opensearch_dashboards.yml
# Dashboards server conf
server.host: 0.0.0.0
server.port: 5601
server.name: redacted
opensearch.hosts: [ master1_ip,master2_ip,master3_ip]

logging.dest: "/var/log/opensearch-dashboards/opensearch-dashboards.log"
logging.verbose: true

# Security config

opensearch_security.enabled: true
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","saml"]
opensearch.username: kibanaserver
opensearch.password: redacted
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]

# Change sign-in button appearance
#opensearch_security.ui.saml.login.buttonname: "Log on with SAML"
#opensearch_security.ui.saml.login.brandimage
#opensearch_security.ui.saml.login.showbrandimage

# End user <--> Dashboards web server TLS

server.ssl.enabled: true
server.ssl.certificate: /etc/opensearch-dashboards/os-dashboards-01.pem
server.ssl.key: /etc/opensearch-dashboards/os-dashboards-01-key.pem
opensearch.ssl.certificateAuthorities: [ "/etc/opensearch-dashboards/root-ca.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'
opensearch.ssl.verificationMode: full
# Set this setting false if you are running Dashboards without HTTPS
opensearch_security.cookie.secure: true

Relevant Logs or Screenshots:

Found nothing relevant in logs. I am using admin user to log into Dashboards, the roles and identities for this user in Dashboards:

Hi @ovreba,

If I got you correctly, what you are looking for is under Management - Security:

Best,
mj

Hi @Mantas, thank you for the reply.

I am unable to locate the Security tab referenced to in the documentation here under any of the menus on the left.

Could you run the below on your Dev Tools and share the output:


GET _plugins/_security/authinfo

GET _plugins/_security/api/securityconfig

GET _plugins/_security/authinfo

{
  "user": "User [name=admin, backend_roles=[admin], requestedTenant=]",
  "user_name": "admin",
  "user_requested_tenant": "",
  "remote_address": "dashboards_ip:37012",
  "backend_roles": [
    "admin"
  ],
  "custom_attribute_names": [],
  "roles": [
    "own_index",
    "all_access"
  ],
  "tenants": {
    "global_tenant": true,
    "admin_tenant": true,
    "admin": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

GET _plugins/_security/api/securityconfig

{
  "status": "FORBIDDEN",
  "message": "No permission to access REST API: User admin with Security roles [own_index, all_access] does not have any role privileged for admin access. No client TLS certificate found in request"
}

^This raises some eyebrows

Could you test by mapping your admin user to security_rest_api_full_access::

security_rest_api_full_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to security_rest_api_full_access"

best,
mj

Applied the mapping to roles_mapping.yml and executed securityadmin.sh

GET _plugins/_security/api/securityconfig:

{
  "status": "FORBIDDEN",
  "message": "No permission to access REST API: User admin with Security roles [security_rest_api_full_access, own_index, all_access] does not have any role privileged for admin access. No client TLS certificate found in request"
}

and what are you getting with atm:

GET _plugins/_security/authinfo

GET _plugins/_security/authinfo

{
  "user": "User [name=admin, backend_roles=[admin], requestedTenant=]",
  "user_name": "admin",
  "user_requested_tenant": "",
  "remote_address": "dashboards_ip:37036",
  "backend_roles": [
    "admin"
  ],
  "custom_attribute_names": [],
  "roles": [
    "security_rest_api_full_access",
    "own_index",
    "all_access"
  ],
  "tenants": {
    "global_tenant": true,
    "admin_tenant": true,
    "admin": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

ill run some test in my lab and get back to you…

1 Like

Just as a sanity check, are you able to verify that the security plugin is installed on every node in your cluster?

GET /_cat/plugins

Yes, all default plugins seem to be present on all nodes (including Security).

GET /_cat/plugins
os-master-03 opensearch-alerting                  2.15.0.0
os-master-03 opensearch-anomaly-detection         2.15.0.0
os-master-03 opensearch-asynchronous-search       2.15.0.0
os-master-03 opensearch-cross-cluster-replication 2.15.0.0
os-master-03 opensearch-custom-codecs             2.15.0.0
os-master-03 opensearch-flow-framework            2.15.0.0
os-master-03 opensearch-geospatial                2.15.0.0
os-master-03 opensearch-index-management          2.15.0.0
os-master-03 opensearch-job-scheduler             2.15.0.0
os-master-03 opensearch-knn                       2.15.0.0
os-master-03 opensearch-ml                        2.15.0.0
os-master-03 opensearch-neural-search             2.15.0.0
os-master-03 opensearch-notifications             2.15.0.0
os-master-03 opensearch-notifications-core        2.15.0.0
os-master-03 opensearch-observability             2.15.0.0
os-master-03 opensearch-performance-analyzer      2.15.0.0
os-master-03 opensearch-reports-scheduler         2.15.0.0
os-master-03 opensearch-security                  2.15.0.0
os-master-03 opensearch-security-analytics        2.15.0.0
os-master-03 opensearch-skills                    2.15.0.0
os-master-03 opensearch-sql                       2.15.0.0
os-master-02 opensearch-alerting                  2.15.0.0
os-master-02 opensearch-anomaly-detection         2.15.0.0
os-master-02 opensearch-asynchronous-search       2.15.0.0
os-master-02 opensearch-cross-cluster-replication 2.15.0.0
os-master-02 opensearch-custom-codecs             2.15.0.0
os-master-02 opensearch-flow-framework            2.15.0.0
os-master-02 opensearch-geospatial                2.15.0.0
os-master-02 opensearch-index-management          2.15.0.0
os-master-02 opensearch-job-scheduler             2.15.0.0
os-master-02 opensearch-knn                       2.15.0.0
os-master-02 opensearch-ml                        2.15.0.0
os-master-02 opensearch-neural-search             2.15.0.0
os-master-02 opensearch-notifications             2.15.0.0
os-master-02 opensearch-notifications-core        2.15.0.0
os-master-02 opensearch-observability             2.15.0.0
os-master-02 opensearch-performance-analyzer      2.15.0.0
os-master-02 opensearch-reports-scheduler         2.15.0.0
os-master-02 opensearch-security                  2.15.0.0
os-master-02 opensearch-security-analytics        2.15.0.0
os-master-02 opensearch-skills                    2.15.0.0
os-master-02 opensearch-sql                       2.15.0.0
os-data-04   opensearch-alerting                  2.15.0.0
os-data-04   opensearch-anomaly-detection         2.15.0.0
os-data-04   opensearch-asynchronous-search       2.15.0.0
os-data-04   opensearch-cross-cluster-replication 2.15.0.0
os-data-04   opensearch-custom-codecs             2.15.0.0
os-data-04   opensearch-flow-framework            2.15.0.0
os-data-04   opensearch-geospatial                2.15.0.0
os-data-04   opensearch-index-management          2.15.0.0
os-data-04   opensearch-job-scheduler             2.15.0.0
os-data-04   opensearch-knn                       2.15.0.0
os-data-04   opensearch-ml                        2.15.0.0
os-data-04   opensearch-neural-search             2.15.0.0
os-data-04   opensearch-notifications             2.15.0.0
os-data-04   opensearch-notifications-core        2.15.0.0
os-data-04   opensearch-observability             2.15.0.0
os-data-04   opensearch-performance-analyzer      2.15.0.0
os-data-04   opensearch-reports-scheduler         2.15.0.0
os-data-04   opensearch-security                  2.15.0.0
os-data-04   opensearch-security-analytics        2.15.0.0
os-data-04   opensearch-skills                    2.15.0.0
os-data-04   opensearch-sql                       2.15.0.0
os-data-03   opensearch-alerting                  2.15.0.0
os-data-03   opensearch-anomaly-detection         2.15.0.0
os-data-03   opensearch-asynchronous-search       2.15.0.0
os-data-03   opensearch-cross-cluster-replication 2.15.0.0
os-data-03   opensearch-custom-codecs             2.15.0.0
os-data-03   opensearch-flow-framework            2.15.0.0
os-data-03   opensearch-geospatial                2.15.0.0
os-data-03   opensearch-index-management          2.15.0.0
os-data-03   opensearch-job-scheduler             2.15.0.0
os-data-03   opensearch-knn                       2.15.0.0
os-data-03   opensearch-ml                        2.15.0.0
os-data-03   opensearch-neural-search             2.15.0.0
os-data-03   opensearch-notifications             2.15.0.0
os-data-03   opensearch-notifications-core        2.15.0.0
os-data-03   opensearch-observability             2.15.0.0
os-data-03   opensearch-performance-analyzer      2.15.0.0
os-data-03   opensearch-reports-scheduler         2.15.0.0
os-data-03   opensearch-security                  2.15.0.0
os-data-03   opensearch-security-analytics        2.15.0.0
os-data-03   opensearch-skills                    2.15.0.0
os-data-03   opensearch-sql                       2.15.0.0
os-data-02   opensearch-alerting                  2.15.0.0
os-data-02   opensearch-anomaly-detection         2.15.0.0
os-data-02   opensearch-asynchronous-search       2.15.0.0
os-data-02   opensearch-cross-cluster-replication 2.15.0.0
os-data-02   opensearch-custom-codecs             2.15.0.0
os-data-02   opensearch-flow-framework            2.15.0.0
os-data-02   opensearch-geospatial                2.15.0.0
os-data-02   opensearch-index-management          2.15.0.0
os-data-02   opensearch-job-scheduler             2.15.0.0
os-data-02   opensearch-knn                       2.15.0.0
os-data-02   opensearch-ml                        2.15.0.0
os-data-02   opensearch-neural-search             2.15.0.0
os-data-02   opensearch-notifications             2.15.0.0
os-data-02   opensearch-notifications-core        2.15.0.0
os-data-02   opensearch-observability             2.15.0.0
os-data-02   opensearch-performance-analyzer      2.15.0.0
os-data-02   opensearch-reports-scheduler         2.15.0.0
os-data-02   opensearch-security                  2.15.0.0
os-data-02   opensearch-security-analytics        2.15.0.0
os-data-02   opensearch-skills                    2.15.0.0
os-data-02   opensearch-sql                       2.15.0.0
os-data-01   opensearch-alerting                  2.15.0.0
os-data-01   opensearch-anomaly-detection         2.15.0.0
os-data-01   opensearch-asynchronous-search       2.15.0.0
os-data-01   opensearch-cross-cluster-replication 2.15.0.0
os-data-01   opensearch-custom-codecs             2.15.0.0
os-data-01   opensearch-flow-framework            2.15.0.0
os-data-01   opensearch-geospatial                2.15.0.0
os-data-01   opensearch-index-management          2.15.0.0
os-data-01   opensearch-job-scheduler             2.15.0.0
os-data-01   opensearch-knn                       2.15.0.0
os-data-01   opensearch-ml                        2.15.0.0
os-data-01   opensearch-neural-search             2.15.0.0
os-data-01   opensearch-notifications             2.15.0.0
os-data-01   opensearch-notifications-core        2.15.0.0
os-data-01   opensearch-observability             2.15.0.0
os-data-01   opensearch-performance-analyzer      2.15.0.0
os-data-01   opensearch-reports-scheduler         2.15.0.0
os-data-01   opensearch-security                  2.15.0.0
os-data-01   opensearch-security-analytics        2.15.0.0
os-data-01   opensearch-skills                    2.15.0.0
os-data-01   opensearch-sql                       2.15.0.0
os-master-01 opensearch-alerting                  2.15.0.0
os-master-01 opensearch-anomaly-detection         2.15.0.0
os-master-01 opensearch-asynchronous-search       2.15.0.0
os-master-01 opensearch-cross-cluster-replication 2.15.0.0
os-master-01 opensearch-custom-codecs             2.15.0.0
os-master-01 opensearch-flow-framework            2.15.0.0
os-master-01 opensearch-geospatial                2.15.0.0
os-master-01 opensearch-index-management          2.15.0.0
os-master-01 opensearch-job-scheduler             2.15.0.0
os-master-01 opensearch-knn                       2.15.0.0
os-master-01 opensearch-ml                        2.15.0.0
os-master-01 opensearch-neural-search             2.15.0.0
os-master-01 opensearch-notifications             2.15.0.0
os-master-01 opensearch-notifications-core        2.15.0.0
os-master-01 opensearch-observability             2.15.0.0
os-master-01 opensearch-performance-analyzer      2.15.0.0
os-master-01 opensearch-reports-scheduler         2.15.0.0
os-master-01 opensearch-security                  2.15.0.0
os-master-01 opensearch-security-analytics        2.15.0.0
os-master-01 opensearch-skills                    2.15.0.0
os-master-01 opensearch-sql                       2.15.0.0

Maybe worth mentioning that everything else works great, just this one permission(?) issue.

We are using version 2.15.0 since this cluster is at the moment still serving Graylog and that’s the maximum currently supported version.

We are planning to move away from Graylog to purely OpenSearch, getting Dashboards to properly work is a big part of that.

Small update. I configured SAML for Dashboards login. Mapped SAML role “OpenSearch Administrator” to all_access backend role. I am able to manage indices, snapshots etc in Dashboards yet no “Security” tab appears.

Does the all_access roles not have the correct permissions for this? Should I map or create some new roles?

The all_access should have enough permissions out of the box…

{"status":"FORBIDDEN","message":"No permission to access REST API: User admin with Open Distro Security Roles [all_access, own_index] does not have any role privileged for admin access. **No client TLS certificate found in request**"}

So I need to figure out why this error is happening. To my understanding access to the REST API is controlled by the parameter plugins.security.restapi.roles_enabled , which I have added the role “all_access” to on all nodes in my cluster.

Maybe this setting has not taken effect, any way to check it?

Have you restarted your nodes after updating cluster settings (in .yml files)?

Could you also share your config.yml?

Yes, I did a rolling restart on all nodes after adding plugins.security.restapi.roles_enabled: [ “all_access”, “security_rest_api_access” ] to all nodes’ opensearch.yml

I did it again just now just to make sure.

Here is my Security config:

config.yml
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
#   basic (challenging)
#   proxy (not challenging, needs xff)
#   kerberos (challenging)
#   clientcert (not challenging, needs https)
#   jwt (not challenging)
#   host (not challenging) #DEPRECATED, will be removed in a future version.
#                          host based authentication is configurable in roles_mapping

# Authc
#   internal
#   noop
#   ldap

# Authz
#   ldap
#   noop


_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    kibana:
      # Kibana multitenancy
      multitenancy_enabled: true
      private_tenant_enabled: true
      default_tenant: ""
      server_username: kibanaserver
      index: '.kibana'
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: "redacted"
              entity_id: opensearch
            sp:
              entity_id: "https://<dashboards_ip>:5601"
            roles_key: roles
            kibana_url: "https://<dashboards_ip>:5601"
            exchange_key: "redacted"
        authentication_backend:
          type: noop

Is your OpenSearch Dashboards also version 2.15.0?

Interesting, all looks good… could you test the behaviour with the SAML disabled?

Yes, Dashboards is also 2.15.0

image

I had this problem before configuring SAML. For testing I set SAML disabled, ran securityadmin.sh, logged in with the demo admin account and still I get the error.

{
  "status": "FORBIDDEN",
  "message": "No permission to access REST API: User admin with Security roles [security_rest_api_full_access, own_index, all_access] does not have any role privileged for admin access. No client TLS certificate found in request"
}

Hi @ovreba,

I did some more digging, and it looks like the error only happens when the setting "plugins.security.restapi.roles_enabled: [all_access, security_rest_api_access]" is turned off.

Is the full reboot an option on your cluster (not the rolling one)? (NOTE: Review all nodes to ensure the setting is enabled on all opensearch.yml(s).)

{
  "status": "FORBIDDEN",
  "message": "No permission to access REST API: Role based access not enabled.. No client TLS certificate found in request"
}