Can't activate reporting functions

OpenSearch Dashboards Reporting Plugin
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.5

Describe the issue: I just can’t see the reporting menus in opensearch dashboard

I have a working opensearch cluster, version 3.5, with the standard docker images, and created an admin user with all roles (all cluster roles and indices permissions)

The reporting plugin is installed:

$ ./opensearch-dashboards-plugin list
alertingDashboards@3.5.0.0
anomalyDetectionDashboards@3.5.0.0
assistantDashboards@3.5.0.0
customImportMapDashboards@3.5.0.0
flowFrameworkDashboards@3.5.0.0
indexManagementDashboards@3.5.0.0
investigationDashboards@3.5.0.0
mlCommonsDashboards@3.5.0.0
notificationsDashboards@3.5.0.0
observabilityDashboards@3.5.0.0
queryInsightsDashboards@3.5.0.0
queryWorkbenchDashboards@3.5.0.0
reportsDashboards@3.5.0.0
searchRelevanceDashboards@3.5.0.0
securityAnalyticsDashboards@3.5.0.0
securityDashboards@3.5.0.0

I don’t see the reporting menus in Dashboards

I can of course provide more information on my configuration.

Do i miss something obvious ?

2

@djeannerod Did you use demo admin user or created a custom one? Does the admin user have write access to the tenant?

If the admin user is custom, please share the role and role mapping definitions.

3

Thanks a lot for your answer !

Yes, the admin user was created with a yaml file and securityadmin.

It should have all rights in the cluster, for all indices and all tenants.

I notice that I have the permissions “kibana_all_write” on the tenants: could it be the cause of my problem, not seeing the reporting menus ?

Here is an extract of my conf:

admin user: mapped to the backend role “admin”

{
  "admin": {
    "hash": "",
    "reserved": true,
    "hidden": false,
    "backend_roles": [
      "admin"
    ],
    "attributes": {},
    "description": "Demo admin user",
    "opendistro_security_roles": [],
    "static": false
  }
}

all_access role:

  "all_access": {
    "reserved": true,
    "hidden": false,
    "description": "Allow full access to all indices and all cluster APIs",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "*"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "*"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": true
  },

Role mapping:

{
  "all_access": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "admin"
    ],
    "and_backend_roles": [],
    "description": "Maps admin to all_access"
  }
}
4

@djeannerod

user, role and role mapping are correct

I have the same settings, and I can use Reporting in Dashboards

image
image1675×433 67.4 KB

Could you share the contents of your opensearch.yml and opensearch_dashboards.yml files?

Please also run the following command and share the output.

curl --insecure -u admin:<password> https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/authinfo?pretty
5

Yes, of course, thanks again for your help !

opensearch.yml:

cluster.name: opensearch-cluster
#logger.org.opensearch.security: debug
#logger.securityjwt.level: debug

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# Implicitly done if ".singleNode" is set to "true".
# discovery.type: single-node

# Start OpenSearch Security Demo Configuration
# WARNING: revise all the lines below before you go into production
plugins:
  security:
    ssl:
      transport:
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/ca.crt
        enforce_hostname_verification: false
      http:
        enabled: true
        pemcert_filepath: certs/tls.crt
        pemkey_filepath: certs/tls.key
        pemtrustedcas_filepath: certs/ca.crt
    restapi:
      roles_enabled: ["all_access", "security_rest_api_access"]
    nodes_dn:
      - "CN=opensearch-cluster-master"
      - "CN=opensearch-cluster-master.os-sso"
      - "CN=opensearch-cluster-master.os-sso.svc"
      - "CN=opensearch-cluster-master.os-sso.svc.cluster.local"
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=Dom,OU=ITOps,O=Inasoft,L=Lyon,ST=Rhone-Alpes,C=FR
    system_indices:
      enabled: true
      indices:
        [
          ".opendistro-alerting-config",
          ".opendistro-alerting-alert*",
          ".opendistro-anomaly-results*",
          ".opendistro-anomaly-detector*",
          ".opendistro-anomaly-checkpoints",
          ".opendistro-anomaly-detection-state",
          ".opendistro-reports-*",
          ".opendistro-notifications-*",
          ".opendistro-notebooks",
          ".opendistro-asynchronous-search-response*",
        ]

opensearch_dashboards.yml

server:
  name: dashboards
  host: "0.0.0.0"
opensearch.hosts: [ "https://opensearch-cluster-master.os-sso.svc.cluster.local:9200" ]
server.ssl.enabled: true
# opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: [ "/usr/share/opensearch-dashboards/config/certs/ca.crt" ]  
server.ssl.key: /usr/share/opensearch-dashboards/config/certs/tls.key
server.ssl.certificate: /usr/share/opensearch-dashboards/config/certs/tls.crt
opensearch.username: "admin"
opensearch.password: "XXXXXXXXX" 
workspace.enabled: false
uiSettings:
  overrides:
    "home:useNewHomePage": true
application_config.enabled: false
datasetManagement.enabled: true
data_source.enabled: false
explore.enabled: true
#savedObjects.permission.enabled: true
# opensearch_reporting.enabled: true

opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.connect_url: "https://<Our Keycloak DNS name>/realms/Inasoft/.well-known/openid-configuration"
opensearch_security.openid.client_id: "XXXXXXXXXXXXXXXXXX"
opensearch_security.openid.client_secret: "XXXXXXXXXXXXXXXXXXX"
opensearch.requestHeadersWhitelist: [authorization, securitytenant, osd-xsrf]
# opensearch.requestHeadersAllowlist: [authorization, securitytenant]
opensearch.ssl.verificationMode: none
opensearch_security.openid.scope: "openid profile email address phone"
opensearch_security.openid.base_redirect_url: "https://<opensearch dashboards DNS name>"
opensearch_security.auth.multiple_auth_enabled: true
# Multitenancy:
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: false
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: ["Private"]
opensearch_security.multitenancy.enable_filter: false

$ curl --insecure -u admin:admin https://localhost:9200/_plugins/_security/authinfo?pretty
{
“user” : “User [name=admin, backend_roles=[admin], requestedTenant=null]”,
“user_name” : “admin”,
“user_requested_tenant” : null,
“remote_address” : “[::1]:60494”,
“backend_roles” : [
“admin”
],
“custom_attribute_names” : 
,
“roles” : [
“own_index”,
“all_access”
],
“tenants” : {
“global_tenant” : true,
“Test” : true,
“admin_tenant” : true,
“admin” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}
6

@djeannerod I wasn’t aware that you’re using OpenSearch Dashboards Workspaces.
As per the comment in this GitHub issue, Reporting has been disabled in the Workspaces.

7

Hi @pablo I’m not using Workspaces, only multitenant withtout workspaces.

I have “workspace.enabled: false” in my conf

Is reporting supported with multitenant without workspaces ?

8

@djeannerod With these settings, you’re enabling a new view with general workspace.

You need to comment this section out to get classic view and enable Reporting in Dashboards.

9

Thanks a lot for your help, @pablo , it works on classic view !