Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
i need help with getting the right permission needed for OBO token creation. when users run it they get the error below
security:obo/create under what category does this action belong
Its a cluster permission according to security/src/integrationTest/java/org/opensearch/security/http/OnBehalfOfJwtAuthenticationTest.java at main · opensearch-project/security · GitHub.
I’m not sure if its necessary, but I can see the test also configuring the setting from here: https://docs.opensearch.org/docs/latest/security/access-control/api/#access-control-for-the-api
plugins.security.restapi.admin.enabled: true
^ I don’t think that setting is required, but wanted to point out that the tests do set the value.
@nelson As per @cwperks comment, you need to add missing permission security:obo/create to the role’s cluster permissions.
The below role example has the minimal permissions to create OBO token.
pablo:
reserved: false
hidden: false
cluster_permissions:
- "cluster:admin/opensearch/ql/datasources/read"
- "indices:admin/template/get"
- "security:obo/create"
index_permissions:
- index_patterns:
- "*"
dls: ""
fls: []
masked_fields: []
allowed_actions:
- "indices:data/read/search"
- "indices:admin/mappings/get"
- "indices:admin/aliases/get"
tenant_permissions: []
static: false
