Limit access for a role to a specific tenant/index/view

Versions:
OpenSearch: 2.7.0
OpenSearch Dashboard: 2.7.0
Running both in docker-compose.
Only log ingestion is being used so far (fluent-bit → data-prepper → opensearch)

Describe the issue:
Hello together,

i do have two questions:

1. Tenants

I have activated tenants within my setup and i found out how to limit a role to a specific tenant.
E.g. by using:

   tenant_permissions:
     - tenant_patterns:
         - 'tenant_name'

But i did not find out how to move an existing index to this tenant, so only the role with access to that tenant can actually access the index with tenant_name.
Also: How can i specify from the log sending part (data-prepper) to which index/tenant the data should be sent?

2. Principle of least privilege

I do have a role, which is used within the example above:

g_63_read_only:
  reserved: false
  hidden: false
  cluster_permissions:
    - 'cluster_composite_ops'
    - 'indices_monitor'
  index_permissions:
    - index_patterns:
        - 'g_63_*'
        - '.kibana'
      dls: ''
      fls: []
      masked_fields: []
      allowed_actions:
        - 'read'
  tenant_permissions:
    - tenant_patterns:
        - 'global_tenant'
      allowed_actions:
        - 'kibana_all_read'
  static: false

By using the Discover tab, that role is only able to access and see data inside the index with the name g_63_*, as this is the main purpose for this role. But it also sees other indexes, without being able to access them as a Forbidden message is appearing. (I’m still confused btw. that i have to use .kibana to make the view possible for this role, i guess it is a migration “feature”)

Is it possible to not display/hide the other indexes for this role? (This is also something i wanted to achieve by using tenants)

Also: Is it possible for that role to not display all the others: Obervability/OpenSearch Plugins/Management? I would love to have that in e.g. a config as i’m stateless, and i do not want to configure it again when setting up docker-compose.

Thanks a lot! :slight_smile:

@B3n As per documentation, tenants are designed to separate OpenSeach Dashboards objects i.e. dashboards, visualisations, index patterns etc.

https://opensearch.org/docs/latest/security/multi-tenancy/tenant-index/

Tenants do not control access to OpenSearch indexes. This is controlled by security roles.
OpenSearch indices can’t be assigned to OpenSearch Dashboards tenants.

If the user has two tenants assigned in a single role with the index permission, that index permission will affect both tenants. The same applies if the user has two separate roles, one for each tenant. The index permissions in all those roles would apply to all assigned tenants.

.kibana index is leftover after OpenDistro which was based on Elasticsearch and Kibana. This doesn’t affect the functionality of the OpenSearch in any way is only a cosmetic issue.

Have you tried to use do_not_fail_on_forbidden?

The current security plugin can’t control other modules’ appearance in the OpenSearch Dashboards. The only available option that can limit the OpenSearch Dashboards view is opensearch_security.readonly_mode.roles. This must be set in the opensearch_dashboards.yml file.

https://opensearch.org/docs/latest/security/access-control/users-roles/

image

1 Like

Hey @pablo, thanks a lot for your input!

Okay so tenants would’nt be useful in my case and i might deactivate them.

I was actually using do_not_fail_on_forbidden: true in my config:

config:
  dynamic:
    do_not_fail_on_forbidden: true

But it did not had any effect or the role (see above) was to migthy.

What i now did, is the following in my opensearch-dashboards.yml:

opensearch_security.readonly_mode.roles: [“g_63_read_only”]

That worked any now i only can see exactly what you’ve posted in your screenshot.

Thanks a lot already for this! Do you know what kind of rights i need to give the role to see the Discovery and access the Index g_64_*?

Thank you!

@B3n You can start with read permission or test indices:data/read variations.

What do you mean by other indices? Do you mean all indices starting with g_63_ or all remaining indices in the cluster?

@pablo i’m now with:

opensearch_security.readonly_mode.roles: [“g_63_read_only”] inside my opensearch-dashboards.yml

where my role looks like the following:

g_63_read_only:
  reserved: false
  hidden: false
  cluster_permissions:
    - 'cluster_composite_ops_ro'
  index_permissions:
    - index_patterns:
        - 'g_63_*'
        - '.kibana'
      dls: ''
      fls: []
      masked_fields: []
      allowed_actions:
        - 'indices:data/read'
  static: false

But it seems like when i’m using opensearch_security.readonly_mode.roles with that role, i can add index permissions/cluster_permissions as much as i want, it will only show the Dashboard or e.g. the screenshot you’ve posted. The Discover tab is not being shown.

What do you mean by other indices ? Do you mean all indices starting with g_63_ or all remaining indices in the cluster?

I mean all the remaining indices. As for example i have different sources where i’m getting data from data-prepper and i want to seperate each of them.

Like:

  1. Data-Prepper client (dedicated virtual machine) sends logs to index: g_63_dev_logs
  2. Data-Prepper client (dedicated virtual machine) sends logs to index: g_53_dev_logs

and so on. So my plan is, to have the role g_63_read_only only being able to see the Discover and to access the data inside g_63_dev_logs.

@B3n opensearch_security.readonly_mode.roles only limits the OpenSearch Dashboards UI to the Dashboards module. There are no other index permissions assigned.

There is no option or permission that would allow seeing only Discovery in OpenSearch Dashboards UI.

The role is correct and will let only read the indices declared in the index_patterns.

@pablo so basically that means that my usecase is not possible, right?

Yes, you’re correct.

Have the same situation. Users can view/search all existing indices, but access the indices I gave them the needed permissions for. When a user clicks on a index they do not have permission for then “SecurityException” comes up:

[security_exception] no permissions for [indices:admin/get] and User [name=test_user, backend_roles=[], requestedTenant=]

Example:

I have the following role:

resource "opensearch_role" "writer" {
  role_name   = "logs_writer"
  description = "Logs writer role"

  cluster_permissions = [
    "cluster:monitor/state", "cluster:monitor/health" // Minimal cluster permission required to access OpenSearch
  ]

  index_permissions {
    index_patterns  = ["security*"]
    allowed_actions = ["*"] // Added the required permission
  }

The mappings:

# Create a role mapping
resource "opensearch_roles_mapping" "writer_mapper" {
  role_name   = "logs_writer"
  description = "Mapping write roles to OS role"
  users       = ["test_user"]
}

resource "opensearch_roles_mapping" "kibana_user" {
  role_name   = "kibana_user"
  description = "Mapping kibana_user to user"
  users       = ["test_user"]
}

the following sets are set to true:

    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true

Now a screenshot showing what the “test_user” user can see in “Indices Table”

Now, when typing “opensearch” in the search bar:

I did not give “test_user” permissions to see them right? When clicking on one of the indices in the screenshot. I get following security_exception:

image

Yep, that’s also correct, but the final question comes here:

How to restrict that Users can’t view/search all indices, but only the indices they have the needed permissions for? @pablo

@hm21 These are minium permissions required to list indices in the reported view.

However, this only allows me to list them. If I click on any of those and I don’t have permissions assigned then I’ll see the following error.

@pablo What happens when you remove the “index permissions”? Would you still be able to “list” all indices?