Internal read-only user cannot view any dashboards/data

Security
,
1

Versions 3.5.0 via Docker:

Describe the issue: I’m trying to create an analyst user role that grants read-only access to dashboards in specific tenants. I’ve created a role that I thought would accomplish that and mapped it to a user named sean, but when I click on dashboards, I get an error.

Application Not Found

No application was found at this URL. Try going back or choosing an app from the menu.

This is an indication that the user doesn’t have access to any data. This is not related to public tenant permissions because the dashboards are in separate tenants that the user has access to. The default application is correct.

Configuration:

Analyst role:

  • cluster permissions
    • cluster:admin/opensearch/ql/datasources/read (added after I saw a warning in the logs about the user missing this permission)
    • cluster_composite_ops_ro
  • Index permissions
    • Indexes
      • *_dmarc_aggregate*
      • *_dmarc_fo*
      • *_smtp_tls*
    • Permissions
      • Read
  • Tenant permissions
    • client_* read-only

Relevant Logs or Screenshots:

A screenshot of the analyst role configuration
A screenshot of the analyst role configuration2600×1298 228 KB

Related links:

Defining users and roles - OpenSearch Documentation

“Application Not Found” Error on Opensearch Dashboards Overview - OpenSearch Dashboards - OpenSearch

Opensearch Security - Read only Role - Security - OpenSearch

[BUG] Warning `Application Not Found` is shown when trying to access to ‘Dashboards’ if no index pattern exists and it’s in readonly mode · Issue #9268 · opensearch-project/OpenSearch-Dashboards

2

@seanthegeek Could you share your opensearch_dashboards .yml file?

3

@pablo

# Default settings from /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml

opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [Private, Global]
opensearch_security.readonly_mode.roles: [kibana_read_only]
server.host: '0.0.0.0'

# End of default settings

# Enable secure cookies
opensearch_security.cookie.secure: true

# Turn off unused features
data_source.enabled: false
workspace.enabled: false
explore.enabled: false

# Add custom settings below

opensearchDashboards.branding:
  logo:
    defaultUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-logo.svg"
    darkModeUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-logo.svg"
  mark:
    defaultUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-mark.svg"
    darkModeUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-mark.svg"
  loadingLogo:
    defaultUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-mark.svg"
    darkModeUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-osd-mark.svg"
  faviconUrl: "https://dmarc.whalensolutions.com/ui/branding/whalen-solutions-icon.svg"
  applicationTitle: "Whalen Solutions"
  useExpandedHeader: true

It’s part of a project called DMARC for MSPs. You can find the source code here domainaware/dmarc-msp: A complete Docker stack for managing DMARC data for MSPs (and everyone else)

Including the exported Dashboard objects parsedmarc/opensearch/opensearch_dashboards.ndjson at master · domainaware/parsedmarc

4

Other things I just tried at the suggestion of Claude with no success:

  • Ensuring that sean is mapped to the kibana_read_only rule
  • Adding access to the .kibana* and .opensearch_dashboards* indicies to the analyst roile
  • Adding the get and search permission sets to the analyst role
6

I figured out what my actual problem with opensearch dashboards is, but not how solve it. The user had access to Dashboards this whole time, but the big visualize and analyze item that you instinctive click on upon first logging in leads to /app/opensearch_dashboards_overview. How can I grant users access to that, or change that button to redirect to /app/Dashboards instead?

7

I found two solutions for this.

Setting this in opensearch_dashboards overrides the landing URL for every tenant and makes is the drawboards app instead of the some app.

uiSettings.overrides.defaultRoute: /app/dashboards

However, the logo in the top left still links to the home application, so I added a redirect in nginx in front of OpneSearch Dashboards.

 # Redirect home app (that non-admins can't use) to dashboards
        location = /app/home {
          return 302 /app/dashboards;
        }
8

@seanthegeek Is the current issue only with the top icon in the OpenSearch Dashboard and on the home page?

If that is correct, I would suggest opening a Feature Request in the OpenSearch Dashboards GitHub repo.
The current read-only mode in OpenSearch Dashboards hides most of the options, but it doesn’t modify the icons’ behaviour.

9

I opened a bug report [BUG] Read-only users are directed to apps they can’t access from the home app · Issue #11734 · opensearch-project/OpenSearch-Dashboards