Ldap users assigned to roles and index security error

Hi All,

Any thoughts or help is appreciated.

I have LDAP AUTHC and AUTHZ configured correctly and able to see the user backend roles. Users can login.

If my opendistro role has say app1_read has access to indexes *, then users can query the indexes in kibana.

I would like to have two roles app1_read and app2_read and segregate indexes.
app1_read can read indexes app1_idx1, app1_idx2
app2_read can read indexes app2_idx1, app2_idx2

If i have role index permissions to include Index * Permissions read, users can read all indexes from kibana.

The moment I add specific indexes and remove the Index , kibana Discover tab does not load and I see the following in the logs
app1_read has index permissions for app1
app2_read has index permissions for app2* read

[2021-01-07T14:30:51,870][INFO ][c.a.o.s.p.PrivilegesEvaluator] [wamapnap01] No index-level perm match for User [name=user1, backend_roles=[ B1, B2 ], requestedTenant=null] Resolved [aliases=[.kibana], allIndices=[.kibana_2], type s=[*], originalRequested=[.kibana], remoteIndices=] [Action [indices:data/read/search]] [RolesChecked [own_index, app1_read]]
[2021-01-07T14:30:51,870][INFO ][c.a.o.s.p.PrivilegesEvaluator] [wamapnap01] No permissions for [indices:data/read/search]

I am also confused on what cluster permission, index permissions to assign to roles. Is there a document or cheat sheet ?

app1_read has index permissions for app1* read <== correct info
app2_read has index permissions for app2* read

One issues that i seem to have was that if had used * as index(pattern), then i was able to view the logs and search them.

If I used a specific index pattern e.g: app1*, then it did not work.

When watching the AWS re:Invent video on youtube(AWS re:Invent 2019: Secure your Open Distro for Elasticsearch cluster (OPN204) - YouTube) , i found that I had to add my BackEndRoles to the kibanauser role.

Once I did that I am able to view the indexes in kibana…

So, to summarize, if I had * as index pattern, then it worked without a kibana user role. If i used any other index pattern then I had to add users/backendrole to the kibana user role.

I did not want to grant index_all to these users.

I will do more digging and potentially close this thread if my issue is solved.

working as described above. I don’t have issues now.