Creating a workspace using the API

Versions: 3.6.0

Describe the issue:

I’m trying to create a Workspace using the API but keep getting the following error:

OpenSearch Dashboards API POST /api/workspaces returned success=false. Details: no permissions for [indices:data/read/search] and User [name=dip-controlplane, backend_roles=[controlplane_role[], requestedTenant=null]: security_exception: [security_exception[] Reason: no permissions for [indices:data/read/search] and User [name=dip-controlplane, backend_roles=[controlplane_role], requestedTenant=null]

This is my current configuration for the controlplane_role backend_role:

controlplane_role:
  reserved: true
  description: "DIP controlplane service role"
  cluster_permissions:
    - "cluster:monitor/main"
    - "restapi:admin/roles"
    - "restapi:admin/rolesmapping"

  index_permissions:
    - index_patterns:
        - "ss4o_logs-*"
        - "dip-logs-*"
      allowed_actions:
        - "manage_aliases"
        - "indices:admin/aliases/get"

    - index_patterns:
        - ".kibana*"
        - ".opensearch_dashboards*"
        - ".opensearch-dashboards*"
        - ".plugins-workspace*"
        - ".plugins-ml-config"
        - ".ql-datasources*"
        - ".opensearch-observability*"
      allowed_actions:
        # Workspace management is implemented through Dashboards saved objects and
        # related system indices. Use full index access on this narrow set of
        # Dashboards-owned indices to avoid brittle per-action gaps.
        - "*"
        - "system:admin/system_index"

    - index_patterns:
        - "*"
      allowed_actions:
        - "indices:data/read/search"
        - "indices:admin/mappings/get"

image1624×820 72.9 KB

@Ploef Could you share your opensearch.yml file?

Hi @pablo,

Thanks for the response. This is my current opensearch.yml content (or at least the part that might affect the problem) .

# TLS (required when Security plugin enabled)
plugins.security.ssl.transport.pemcert_filepath: certs/transport/tls.crt
plugins.security.ssl.transport.pemkey_filepath: certs/transport/tls.key
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/transport/ca.crt
plugins.security.ssl.transport.enforce_hostname_verification: true
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: certs/http/tls.crt
plugins.security.ssl.http.pemkey_filepath: certs/http/tls.key
plugins.security.ssl.http.pemtrustedcas_filepath: certs/http/ca.crt
plugins.security.restapi.roles_enabled: ["all_access","security_rest_api_access","searchguard_role","controlplane_role"]
plugins.security.system_indices.permission.enabled: true

plugins.security.ssl.transport.enabled: true

plugins.security.nodes_dn:
  - "CN=opensearch-transport"
plugins.security.authcz.admin_dn:
  - "CN=admin"

plugins.query.datasources.encryption.masterkey: ${OPENSEARCH_DATASOURCES_ENCRYPTION_MASTERKEY}

plugins.security.disabled: false

plugins.security.audit.type: internal_opensearch
plugins.security.audit.config.enable_rest: true
plugins.security.audit.config.enable_transport: true
plugins.security.audit.config.disabled_rest_categories: NONE
plugins.security.audit.config.disabled_transport_categories: NONE

@Ploef Thank you for sharing your opensearch.yml file.

The issue was caused by a missing tenant permission. This root cause isn’t reported in the OpenSearch logs properly.

I’ve found two solutions/workarounds

1. Add kibanauser backend role to your test user. This backend role already has built-in access to the Global tenant.
   Alternatively, add Global tenant permission to your custom role.

curl --insecure -u pablo:Eliatra123 https://localhost:9200/_plugins/_security/authinfo?pretty                                            {
  "user" : "User [name=pablo, backend_roles=[], requestedTenant=null]",
  "user_name" : "pablo",
  "user_requested_tenant" : null,
  "remote_address" : "172.19.0.1:40052",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "pablo",
    "kibana_user",
    "own_index"
  ],
  "tenants" : {
    "pablo" : true,
    "global_tenant" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

2. Follow OpenSearch documentation and disable multi-tenancy in OpenSearch (config.yml) and OpenSearch Dashboards (opensearch_dashboards.yml )