Copying built-in kibana_server role

Hello,

I’m trying to a make a new user with similar privilege as the built-in kibanaserver (user)/kibana_server (role) so I can use that instead in opensearch_dashboards.yml, however, despite basically copying the privileges of that role (obtained via REST API), OpenSearch is still saying that the new role has missing privileges. Is it so that creating roles with access to the internal indices is not allowed, or am I missing something?

roles.yml:

dashboardserver:
  reserved: true
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"
  index_permissions:
  - index_patterns:
    - ".kibana"
    - ".opensearch_dashboards"
    - ".kibana-6"
    - ".opensearch_dashboards-6"
    - ".kibana_*"
    - ".opensearch_dashboards_*"
    - ".tasks"
    - ".management-beats*"
    - "*"
    allowed_actions:
      - "indices_all"

roles_mapping.yml

dashboardserver:
  reserved: true
  backend_roles:
  - "dashboardserver"
  users:
  - "dashboardserver"

Error in opensearch.log

[2021-08-02T01:41:56,601][INFO ][audit ] [my.internal.url] {"audit_cluster_name":"my-cluster","audit_node_name":"my.internal.url","audit_trace_task_id":"yQO73t8nR6eCkXMXteibbA:4452","audit_transport_request_type":"GetIndexRequest","audit_category":"MISSING_PRIVILEGES","audit_request_origin":"REST","audit_node_id":"yQO73t8nR6eCkXMXteibbA","audit_request_layer":"TRANSPORT","@timestamp":"2021-08-02T08:41:56.601+00:00","audit_format_version":4,"audit_request_remote_address":"1.2.3.4","audit_request_privilege":"indices:admin/get","audit_node_host_address":"1.2.3.4","audit_request_effective_user":"dashboardserver","audit_trace_indices":[".kibana"],"audit_trace_resolved_indices":[".kibana_1"],"audit_node_host_name":"1.2.3.4"}

No errors in applying securityadmin.sh.
Would appreciate your help.

@silver_searcher
Just to make sure I understand correctly, in kibana.yml under elasticsearch.username instead of kibanaserver user you want to put a new user with the same permissions?

In that case you will need to create that user in internal_users.yml file, then set up the role, but need to add read permissions for tenant, see your example below:

dashboardserver:
  reserved: true
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"
  index_permissions:
    - index_patterns:
      - ".kibana"
      - ".opensearch_dashboards"
      - ".kibana-6"
      - ".opensearch_dashboards-6"
      - ".kibana_*"
      - ".opensearch_dashboards_*"
      - ".tasks"
      - ".management-beats*"
      - "*"
      allowed_actions:
        - "indices_all"
  tenant_permissions:
    - tenant_patterns:
      - "*"
      allowed_actions:
        - "kibana_all_read"

Your role_mappings.yml is sufficient, however backend_roles section is not needed as you are mapping the user directly.

Then update kibana.yml with username and created password.

This should work for you, if not, please confirm which version of odfe/opensearch you are using or what you are trying to achieve if I misunderstood.

@Anthony
Yes, that’s my intent. Adding the tenant permissions worked, thanks!

Can you please help me understand why though? When I query via REST API the built-in kibana_server role, this is what I get below. The tenant permissions are blank.

{
  "kibana_server": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for the Kibana server",
    "cluster_permissions": [
       (skipped...)
    ],
    "index_permissions": [
      {
         (skipped...)
      }
    ],
    "tenant_permissions": [],
    "static": true
  }
}

Why then if we’re creating our own user with supposedly the same privileges, we need to explicitly define a tenant permission ourselves? There’s some special handling for the built-in kibana_server role?

@silver_searcher I’ve seen in the past this behaviour across some of the built in roles. My only guess (as you already mentioned) is there is some special handling of those built in roles and new roles (although with same permissions attached) need a little “help” to work correctly.

I see. Thanks a lot for your help!

@silver_searcher
I think the solution is to make sure that the dashboardserver is added to the config.yaml, like below:

kibana:
    # Kibana multitenancy
      multitenancy_enabled: true
      server_username: dashboardserver
      index: '.kibana'

Should work for you. Hope this helps

@Anthony I have a query on the same. Created a custom user “observability_kibanaserver” and mapped it with in built role “kibana_server”.

observability_kibanaserver:
  hash: "$*********"
  reserved: false
  description: "Observability kibanaserver user
kibana_server:
  reserved: true
  users:
  - "observability_kibanaserver"

And put the same user name in opensearch_dashboards.yml

      opensearch.username: "observability_kibanaserver"
      opensearch.password: "******"

Please note: I haven’t created any roles explicitly rather than just mapping with existing in built one.

Any thoughts please.

@kksaha Have you updated config.yml?

Thanks @pablo for your response. In my config.yml I didn’t explicitly mention the username in config.yml

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        order: 0
        description: "Basic HTTP Authentication"
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        order: 1
        description: "SAML Authentication"
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: saml
          challenge: true
          config:
            jwt:
              # Workaround: force OKTA session timeout + 1440 minutes
              expiry: AUTO+1440
            idp:
              # metadata_url: *********
              metadata_file: /usr/share/opensearch/config/opensearch-security/securityconfig/metadata.xml
              entity_id: *********
            sp:
              entity_id: opensearch-**** # in Okta: Audience URI (SP Entity ID)
              forceAuthn: true
            kibana_url: [ https://dashboards-test.kishore.****** ]
            roles_key: Roles
            exchange_key: '*******'
        authentication_backend:
          type: noop

And it’s working without adding the username with default kibana_server.

I didn’t put it in config.yml

    opensearch-dashboards/kibana:
      multitenancy_enabled: true
      server_username: observability_kibanaserver
      index: '.kibana'

@kksaha The default user kibana_server doesn’t require changes in config.yml as by default they’re already applied.

However, if you want to use a custom user then you have to configure it in config.yml too.

config:
  dynamic:
    opensearch-dashboards:
      server_username: observability_kibanaserver