Dashboard no Secure menu in plugin

Hello,

When I got install in docker containers, with non default env, I don’t have menu Secure. But in this time I already have LDAP auth and work fine.
Default admin:admin work too.

NDA means critical data not for share.

Kibana env:

environment:
                - "HOSTNAME={{ ansible_fqdn }}"
                - "SERVER_NAME={{ ansible_fqdn }}"
                - "HOST_IP={{ ansible_facts['default_ipv4']['address'] }}"
                - "OPENSEARCH_HOSTS=https://oswebportal.site.local:9200"
                - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=false"
                - "opensearch.ssl.verificationMode=none"
                - "server.ssl.enabled=true"
                - "server.ssl.certificate=oswebportal.pem"
                - "server.ssl.key=oswebportal-key.pem"
                - "opensearch.ssl.certificateAuthorities=root-ca-local.pem"
                - "opensearch.username=kibanaserver"
                - "opensearch.password=kibanaserver"
                - "opensearch_security.multitenancy.enabled=false"
                - "opensearch_security.multitenancy.tenants.enable_global=true"
                - "opensearch_security.multitenancy.tenants.enable_private=true"
                - "opensearch_security.multitenancy.enable_filter=false"
                - "opensearch_security.cookie.secure=true"

Kibana config.yml file:

opensearch.requestHeadersWhitelist: ["authorization", "securitytenant"]
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

Role mapp conf:

---

_meta:
  type: "rolesmapping"
  config_version: 2

all_access:
  reserved: false
  backend_roles:
    - os-admins
  users:
    - "admin"
  description: "Maps admin to all_access"

kibana_server:
  reserved: true
  users:
    - "kibanaserver"

Ingest, master, data nodes env:

environment:
                - HOSTNAME={{ ansible_fqdn }}
                - DISABLE_INSTALL_DEMO_CONFIG=true
                - compatibility.override_main_response_version=false
                - plugins.security.disabled=false
                - plugins.security.allow_default_init_securityindex=true
                - plugins.security.ssl.transport.enforce_hostname_verification=false
                - plugins.security.ssl.transport.pemcert_filepath=oswebportal.pem
                - plugins.security.ssl.transport.pemkey_filepath=oswebportal-key.pem
                - plugins.security.ssl.transport.pemtrustedcas_filepath=root-ca-local.pem
                - plugins.security.ssl.http.enabled=true
                - plugins.security.allow_unsafe_democertificates=true
                - plugins.security.ssl.http.pemcert_filepath=oswebportal.pem
                - plugins.security.ssl.http.pemkey_filepath=oswebportal-key.pem
                - plugins.security.ssl.http.pemtrustedcas_filepath=root-ca-local.pem
                - plugins.security.restapi.roles_enabled=["all_access", "security_rest_api_access"]
                - cluster.name=oswebportal
                - bootstrap.memory_lock=true
                - discovery.seed_hosts=NDA
                - node.data=false
                - node.master=false
                - node.ingest=true
                - node.name={{ ansible_fqdn }}
                - network.host=0.0.0.0
                - network.publish_host={{ ansible_facts['default_ipv4']['address'] }}
                - "OPENSEARCH_JAVA_OPTS=-Xms12g -Xmx12g -Xlog:disable"

Ingest opensearch.yml:

---
cluster.name: docker-cluster

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node
plugins.security.authcz.admin_dn:
  - NDA
plugins.security.nodes_dn: 
  - NDA
plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]

Снимок экрана 2022-10-18 в 17.06.18926×1668 56.8 KB

Снимок экрана 2022-10-18 в 17.06.231206×742 184 KB

@kam This must be kept unchanged.

all_access:
  reserved: false
  backend_roles:
  - "admin"

You can add users, groups but don’t remove the admin backend_role.

Its can be like this?

---

_meta:
  type: "rolesmapping"
  config_version: 2

all_access:
  reserved: false
  backend_roles:
    - os-admins
    - admin
  users:
    - "admin"
  description: "Maps admin to all_access"

kibana_server:
  reserved: true
  users:
    - "kibanaserver"

I want all users in ldap group os-admin all_access too, not only for admin backend_role.

I’m try, but steel doesn’t see menu of Secure:

---

_meta:
  type: "rolesmapping"
  config_version: 2

all_access:
  reserved: false
  backend_roles:
    - "admin"
  users:
    - "admin"
  description: "Maps admin to all_access"

kibana_server:
  reserved: true
  users:
    - "kibanaserver"

Снимок экрана 2022-10-18 в 19.15.22628×672 73.8 KB

Снимок экрана 2022-10-18 в 19.15.151200×636 159 KB

@kam Could you share your all_access role settings?

@kam Did you apply the changed roles_mapping.yml to the cluster?

Did you purge the cache? LDAP and basicauth authentications are cached and the cache must be purged when you change the permissions and you’d like to see the effect immediately.

Where I can see they?

Before I’m trying new configuration in cluster, I do:

1. stop all containers in all 7 nodes (2 master, 2 ingest, 3 data)
2. docker rm all containers
3. docker rmi all images
4. rm all certs in directory
5. rm all conf in vps where I make deploy
6. rm all data what left from containers on vps volumes

Nothin left after playbooks what rm all dockers artefacts.
All new configs I deploying on clear vps from old files and data.

Still have issue. Making log level debug and nothin…