I can't see Index Pattern

OpenSearch Dashboards
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 3.0

Hello, i’m the admin user of my cluster. I have the multi tenancy enable (it is working fine) .
I configure roles and roles_mapping for the user that have to see the logs.
However, each user must be able to see only their own logs, I managed this via the tenants.

From my Admin User, I created the reference index patterns for each tenant in the corresponding tenants.
To test that I did it right, I created a local user and gave it read privileges on a tenant and read search privileges on the corresponding index.
When I log in to opensearch dashboard from the local user, I select the tenant I have access to (and the only custom tenant I see), I go to discover but I don’t see any index pattern.

Someone can help me?

2

@pablo Any Suggest?

3

@abarocco Could you share the output of the following command and reported user’s roles with roles mapping?

curl --insecure -u <username>:<password> -XGET https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/authinfo?pretty

Alternatively you can use OSD Dev Tools and run the following when logged with the reported user.

GET _plugins/_security/authinfo
4

@pablo Hi pablo

{
  "user": "User [name=U0K8102, backend_roles=[CN=YASZAYGr,CN=Abilitazioni,OU=Profili di Sicurezza,OU=SanPaoloIMI,DC=syssede,DC=systest,DC=sanpaoloimi,DC=com, CN=YA2W56GrL,CN=Abilitazioni,OU=Profili di Sicurezza,OU=SanPaoloIMI,DC=syssede,DC=systest,DC=sanpaoloimi,DC=com, CN=YA2W56Gr,CN=Abilitazioni,OU=Profili di Sicurezza,OU=SanPaoloIMI,DC=syssede,DC=systest,DC=sanpaoloimi,DC=com, CN=YASZAYGrL,CN=Abilitazioni,OU=Profili di Sicurezza,OU=SanPaoloIMI,DC=syssede,DC=systest,DC=sanpaoloimi,DC=com], requestedTenant=null]",
  "user_name": "U0K8102",
  "user_requested_tenant": null,
  "remote_address": "10.174.110.129:37194",
  "backend_roles": [
    "CN=YASZAYGr,CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=com",
    "CN=YA2W56GrL,CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=com",
    "CN=YA2W56Gr,CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=com",
    "CN=YASZAYGrL,CN=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx,DC=com"
  ],
  "custom_attribute_names": [
    "attr.ldap.msTSExpireDate",
    "attr.ldap.logonCount",
    "attr.ldap.lastLogon",
    "attr.ldap.badPwdCount",
    "attr.ldap.userAccountControl",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.physicalDeliveryOfficeName",
    "attr.ldap.lastLogoff",
    "attr.ldap.sAMAccountName",
    "attr.ldap.whenChanged",
    "attr.ldap.uid",
    "attr.ldap.gidNumber",
    "attr.ldap.msSFU30NisDomain",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.adminCount",
    "attr.ldap.extensionAttribute1",
    "attr.ldap.loginShell",
    "attr.ldap.sPIsmDomain",
    "attr.ldap.extensionAttribute3",
    "attr.ldap.lastLogonTimestamp",
    "attr.ldap.primaryGroupID",
    "attr.ldap.unixHomeDirectory",
    "attr.ldap.objectGUID",
    "attr.ldap.msTSLicenseVersion3",
    "attr.ldap.msTSLicenseVersion2",
    "attr.ldap.company",
    "attr.ldap.countryCode",
    "attr.ldap.extensionAttribute14",
    "attr.ldap.scriptPath",
    "attr.ldap.logonHours",
    "attr.ldap.instanceType",
    "attr.ldap.msTSManagingLS",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.initials",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.uSNChanged",
    "attr.ldap.uidNumber",
    "attr.ldap.pwdLastSet",
    "attr.ldap.sn",
    "attr.ldap.msTSLicenseVersion",
    "attr.ldap.msNPAllowDialin",
    "attr.ldap.msSFU30Name"
  ],
  "roles": [
    "own_index",
    "all_access"
  ],
  "tenants": {
    "10": true,
    "17": true,
    "29": true,
    "44": true,
    "69": true,
    "71": true,
    "76": true,
    "80": true,
    "88": true,
    "89": true,
    "91": true,
    "92": true,
    "PX": true,
    "YA": true,
    "YB": true,
    "HS": true,
    "8D": true,
    "8H": true,
    "0D": true,
    "8L": true,
    "0F": true,
    "8N": true,
    "0G": true,
    "Z1": true,
    "YQ": true,
    "8Q": true,
    "Z3": true,
    "8S": true,
    "ID": true,
    "QL": true,
    "8T": true,
    "0O": true,
    "YX": true,
    "II": true,
    "R4": true,
    "IL": true,
    "IO": true,
    "ZE": true,
    "IU": true,
    "ZJ": true,
    "1C": true,
    "AT": true,
    "RE": true,
    "AU": true,
    "9P": true,
    "RJ": true,
    "9Q": true,
    "1I": true,
    "RL": true,
    "1M": true,
    "9U": true,
    "S0": true,
    "ZW": true,
    "RO": true,
    "9W": true,
    "ZZ": true,
    "9Y": true,
    "1R": true,
    "JL": true,
    "BD": true,
    "S9": true,
    "1X": true,
    "BJ": true,
    "JU": true,
    "2B": true,
    "2I": true,
    "SJ": true,
    "BZ": true,
    "SO": true,
    "SQ": true,
    "2P": true,
    "KM": true,
    "T8": true,
    "SX": true,
    "KY": true,
    "3F": true,
    "D8": true,
    "3H": true,
    "3J": true,
    "admin_tenant": true,
    "TL": true,
    "3N": true,
    "TO": true,
    "U0K8102": true,
    "LJ": true,
    "TR": true,
    "TS": true,
    "LM": true,
    "3U": true,
    "LP": true,
    "DI": true,
    "3Y": true,
    "3Z": true,
    "DL": true,
    "DM": true,
    "LV": true,
    "UA": true,
    "E2": true,
    "4D": true,
    "DV": true,
    "E7": true,
    "MA": true,
    "MC": true,
    "4M": true,
    "MI": true,
    "4R": true,
    "EF": true,
    "MO": true,
    "N0": true,
    "4V": true,
    "5B": true,
    "NA": true,
    "NB": true,
    "VL": true,
    "VM": true,
    "NF": true,
    "5N": true,
    "W1": true,
    "NJ": true,
    "FB": true,
    "5Q": true,
    "VT": true,
    "NM": true,
    "5U": true,
    "NP": true,
    "global_tenant": true,
    "O4": true,
    "NY": true,
    "G3": true,
    "FV": true,
    "FW": true,
    "G9": true,
    "WJ": true,
    "OC": true,
    "OD": true,
    "X1": true,
    "OI": true,
    "6P": true,
    "6Q": true,
    "OK": true,
    "6T": true,
    "GF": true,
    "P0": true,
    "GI": true,
    "P2": true,
    "GK": true,
    "OT": true,
    "GN": true,
    "OV": true,
    "P8": true,
    "XA": true,
    "GT": true,
    "7F": true,
    "GV": true,
    "7I": true,
    "GZ": true,
    "XL": true,
    "XM": true,
    "Y2": true,
    "XT": true,
    "XV": true,
    "PO": true,
    "Y8": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

This is my user i have admin permission

5

My focus points are :

  1. Understand which permission a user needs to have to see the logs assigned to him (just read only) , logs/dashboard/visualize.

  2. How to give him permission to enter in his specific tenant

6 
{
  "user": "User [name=test-barocco, backend_roles=[test-barocco], requestedTenant=null]",
  "user_name": "test-barocco",
  "user_requested_tenant": null,
  "remote_address": "10.174.110.129:37184",
  "backend_roles": [
    "test-barocco"
  ],
  "custom_attribute_names": [],
  "roles": [
    "own_index",
    "test-barocco"
  ],
  "tenants": {
    "test-barocco": true,
    "IO": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

This is the local user i have to test my configuration

7

Without custom Tenant work. I think i will use the Global Tenant for all the user. I think was a version bug because in the tenant i can’t create and index pattern but i can delete an index. Strange things…

Now i’m facing of with the index permission in my role.
I have “read” “search” permission. If i use * in the index-pattern i see all my logs.

If i use for example ioio0-test* (datastream) i can’t see any logs

8

I’ve fixed. The problem was about that in my opensearch_dashboard i comment this entry :

opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]

And in the roles → index pattern i have missed privileges for the .kibana index.

Thanks
Andrea

1 Like
9

Check your role’s index permissions—wildcard