Discover page does not show anything with readall role

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 2.11.1 (Docker Container bitnami/opensearch:2.11.1-debian-11-r2)
OpenSearch Dashboards 2.11.0 (Docker Container bitnami/opensearch-dashboards:2.11.0-debian-11-r2)

Describe the issue:

Users with readall role are not able to see any logs.

When I open the UI with the readall role and go to “Discover” there are no datasources to select and the spinner runs indefinitely (see first screenshot). From the second screenshot you can see, that I have the readall role assigned. When I assign me the all_access role, everything works fine.

From the documentation at Users and roles - OpenSearch Documentation I would have expected this to be the correct role. But apparently it is not.

What role(s) should users have to be able to:

• read all logs
• CRUD visualizations and dashboards
• have read access to the observability tab

Thanks in advance!

Configuration:

readall role (vanilla, no changes):

user@nb [~]
-> % kubectl -n logging-system exec -ti logging-stack-opensearch-master-0 -c opensearch -- curl \
    --cert /opt/bitnami/opensearch/config/certs/admin.crt \
    --key /opt/bitnami/opensearch/config/certs/admin.key \
    --cacert /opt/bitnami/opensearch/config/certs/ca.crt \
    -XGET \
    https://localhost:9200/_plugins/_security/api/roles/readall | jq
{
  "readall": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for to readall indices",
    "cluster_permissions": [
      "cluster_composite_ops_ro"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  }
}
user@nb [~]
-> %

readall role mapping (added the opensearch_kibana_read backend role there):

user@nb [~]
-> % kubectl -n logging-system exec -ti logging-stack-opensearch-master-0 -c opensearch -- curl \
    --cert /opt/bitnami/opensearch/config/certs/admin.crt \
    --key /opt/bitnami/opensearch/config/certs/admin.key \
    --cacert /opt/bitnami/opensearch/config/certs/ca.crt \
    -XGET \
    https://localhost:9200/_plugins/_security/api/rolesmapping/readall | jq
{
  "readall": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "readall",
      "opensearch_kibana_read"
    ],
    "and_backend_roles": []
  }
}
user@nb [~]
-> %

The opensearch_kibana_read backend role comes as a role from Keycloak.

Relevant Logs or Screenshots:

image1418×570 18 KB

Apparently adding the kibana_user role to those users did the trick. Now they can read the index patterns and therefore they can search for logs.

Thanks anyways!