Dashboard permission in OpenSearch

sdas018 · November 1, 2024, 1:19pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch Version - 2.8.0
dashboard version - 2.8.0

Describe the issue:

Hi Team,

Good Day !!

Can you please help me with below requirement for other users.?

I wanted to give read/write access for Visualization,Dashboard and Discover for other users

at the same time i wanted to restrict them to access Devtools and stack management

i have my own index pattern - log-finsp*
OSS Version - 2.8.0
dashboard version - 2.8.0

Configuration:

clusterName: osscluster-dev
namespace: opensearch-ns
opensearchCluster:
  enabled: true
  general:
    httpPort: 9200
    serviceName: osscluster-dev
    version: 2.8.0
    pluginsList:
      - "repository-s3"
      - "https://github.com/aiven/prometheus-exporter-plugin-for-opensearch/releases/download/2.8.0.0/prometheus-exporter-2.8.0.0.zip"
    drainDataNodes: false
    setVMMaxMapCount: true
  dashboards:
    enable: true
    version: 2.8.0
    replicas: 1
    reporting:
      enabled: true
    podSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
    securityContext:  
      capabilities:
        drop:
          - ALL
      fsGroup: 1000
      runAsNonRoot: true
    opensearchCredentialsSecret:
      name: admin-credentials-secret
    resources:
      requests:
        memory: "1Gi"
        cpu: "500m"
      limits:
        memory: "1Gi"
        cpu: "500m"
    additionalConfig:
      opensearch.requestHeadersAllowlist: "[\"securitytenant\",\"Authorization\"]"
      opensearch_security.multitenancy.enabled: "true"
      opensearch_security.multitenancy.tenants.enable_global: "true"
      opensearch_security.multitenancy.tenants.enable_private: "true"
      opensearch_security.multitenancy.tenants.preferred: "[\"Global\",\"Private\"]"
      opensearch_security.multitenancy.enable_filter: "true"
      opensearch_security.auth.multiple_auth_enabled: "true"
      # opensearch_security.readonly_mode.roles: "[\"readonly\"]"
      opensearch_security.auth.type: "[\"openid\", \"basicauth\"]"
      opensearch_security.openid.connect_url: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      opensearch_security.openid.client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      opensearch_security.openid.client_secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
      opensearch_security.openid.base_redirect_url: "xxxxxxxxxxxxxx"
      # logging.verbose: <OPENSEARCH_DASHBOARDS_LOG_LEVEL>
  initHelper:
    imagePullSecrets: []
    # - registryKeySecretName
    imagePullPolicy: IfNotPresent
    resources:
      requests:
        memory: "1Gi"
        cpu: "500m"
      limits:
        memory: "1Gi"
        cpu: "500m"
  nodePools:
    - component: masters
      replicas: 3
      diskSize: "10Gi"
      jvm: "-Xmx512M -Xms512M"
      prometheus:
        indices: "false"
        clusterSettings: "true"
        nodesFilter: "_local"
      annotations:
        prometheus.io/path: "/_prometheus/metrics"
        prometheus.io/port: "9200"
        prometheus.io/scrape: "true"
        prometheus.io/scheme: "https"
      # NodeSelector: {}  # Populate if needed or remove if not
      resources:
        requests:
          memory: "2Gi"
          cpu: "500m"
        limits:
          memory: "2Gi"
          cpu: "500m"
      roles:
        - "cluster_manager"
    - component: data-nodes
      replicas: 5
      diskSize: "20Gi"
      jvm: "-Xmx512M -Xms512M"
      prometheus:
        indices: "false"
        clusterSettings: "true"
        nodesFilter: "_local"
      annotations:
        prometheus.io/path: "/_prometheus/metrics"
        prometheus.io/port: "9200"
        prometheus.io/scrape: "true"
        prometheus.io/scheme: "https"
      # NodeSelector: {}  # Populate if needed or remove if not
      resources:
        requests:
          memory: "2Gi"
          cpu: "500m"
        limits:
          memory: "2Gi"
          cpu: "500m"
      roles:
        - "data"
  security:
    config:
      adminSecret:
        name: opensearch-admin-certs
      adminCredentialsSecret:
        name: admin-credentials-secret
      securityConfigSecret:
        name: securityconfig-secret
    tls:
      transport:
        generate: false
        perNode: false
        secret:
          name: opensearch-certs
        nodesDn:
          - "CN=Opensearch_Node"
        adminDn:
          - "CN=OpenSearch_Admin"
      http:
        generate: false
        secret:
          name: opensearch-certs

Relevant Logs or Screenshots:

pablo · November 1, 2024, 4:26pm

@sdas018 OpenSearch Dashboards doesn’t have ability to restrict specific elements of the UI.
You could consider using tenants to separate users and their OpenSearch Dashboards objects.

sdas018 · November 4, 2024, 5:51am

Hi @pablo ,

Can you please help me with one of the example so that i will replicate the same.

Regards,
Santosh Das

pablo · November 5, 2024, 9:49am

@sdas018 As per my previous comment security roles can’t control specific UI elements.
The only available option for limiting the OpenSearch Dashboards UI view is opensearch_security.readonly_mode.roles which is configured in the opensearch_dashboards.yml file.

You could try to separate OpenSearch Dashboards objects (i.e. dashboards, searches, visualizations) by using separate tenants. You can assign read/write permissions per tenant.

Topic		Replies	Views
Roles and permissions - view dashboards Security	8	505	June 4, 2024
Permission Issue Setting Up Dashboards Security	2	1084	December 23, 2021
Permissions required for user to see "Security" tab in OpenSearch Dashboards Security troubleshoot	6	1392	June 22, 2022
Opensearch dashboard readnonly access OpenSearch	0	339	December 15, 2022
Permissions to roles/users Security configure	1	265	August 28, 2023

Dashboard permission in OpenSearch

Related topics