Kibana_user role - "read only" restriction

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

opensearch-operator-2.8.0
OS 3.1

Describe the issue:

I am baffled by the the way standard role assignment works in OS.
My goal is to have an OIDC assigned mapping done for external users to have a read only view (on everything, basically).

It is fine, as long as they have:

• readall
• kibana_user

assigned.
The problem is the kibana_user makes it possible to delete indexes.

I was working on this and created a “kibana_restricted” role (see below).
I assigned it instead of kibana_user.
Looks like it is not sufficient, mapped users do not have access to indexes.

Could you please advise ?

Configuration

The kibana_restricted I was trying - based on security/src/main/resources/static_config/static_roles.yml at main · opensearch-project/security · GitHub

I removed “delete” from the permissions.

Relevant Logs or Screenshots:

n/a

@mkur Can you provide more information as to which indices the user doesn’t have access to?

I tested this with OS3.3 and using the below role:

kibana_user_copy:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_composite_ops_ro"
  index_permissions:
  - index_patterns:
    - ".kibana"
    - ".kibana-6"
    - ".kibana_*"
    - ".opensearch_dashboards"
    - ".opensearch_dashboards-6"
    - ".opensearch_dashboards_*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
  - index_patterns:
    - ".tasks"
    - ".management-beats"
    - "*:.tasks"
    - "*:.management-beats"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_read"

Together with the default readall role, the user is able to view the dashboards and not able to delete any indices except for it’s own private tenant.

When you login as the user in question, what roles do you see assigned in “View roles and identities”

Thanks @Anthony.

That works fine.