Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v2.15
Describe the issue:
We are controlling permissions to provide each user with a custom tenant for each project,
but when a user connects to a tenant with a role like the one below, there are cases where the error mentioned in the issue occurs and cases where it does not.
Why does it happen when accessing Discovery or Home?
Through the backend_roles shown in the following log, we create two tenants and allow users to access the two custom tenants,
even though we connected the same role configuration, one side has an error and the other side does not.
Configuration:
"cluster_permissions": [
"cluster:admin/opensearch/ql/datasources/read",
"indices:data/read/mget"
],
"index_permissions": [
{
"index_patterns": {tenant_name}-*,
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": ["read"]
}
],
"tenant_permissions": [
{
"tenant_patterns": [f"{tenant_name}"],
"allowed_actions": ["kibana_all_read", "kibana_all_write"],
}
],
Relevant Logs or Screenshots:
Dec 17 19:38:11 opensearch-dashboards[2566944]: {“type”:“log”,“@timestamp”:“2024-12-17T10:38:11Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:2566944,“message”:“[security_exception]: no permissions for [indices:data/write/bulk] and User [name=dev, backend_roles=[ raycluster, test-raycluster], requestedTenant=raycluster]”}