Looking for support to create a read-only user with existing documentation

Hi,

I have a simple use case where I would like to give users access to specific indices (related index templates of the Global tenant as well) only to look at the data in OpenSearch Dashboards. I followed the instructions here: Users and roles - OpenSearch documentation

However, roles opensearch_dashboards_read_only and opensearch_dashboards_user do not exist and when I checked the current and even historical changes to the roles.yml on GitHub (https://github.com/opensearch-project/security/blob/main/config/roles.yml) I couldn’t find anything related to these roles either.

I tried a lot of different things that didn’t work but right now, this is where I am. After some testing, I see this configuration allows me to access the indices I should have access to with the Private tenant but I cannot access anything of the Global tenant where the dashboard and visualizations are created, which is my problem. This is how the planning user is setup:

{
  "planning" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "planning"
    ],
    "attributes" : { },
    "opendistro_security_roles" : [ ],
    "static" : false
  }
}

This is how the planning role is setup:

{
  "planning" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops_ro"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "sip-pbx-usage-*",
          "sip-pbx-licenses-*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "global_tenant"
        ],
        "allowed_actions" : [
          "kibana_all_read"
        ]
      }
    ],
    "static" : false
  }
}

The role mapping configuration:

{
  "planning" : {
    "hosts" : [ ],
    "users" : [
      "planning"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [
      "planning"
    ],
    "and_backend_roles" : [ ]
  }
}

And the issue is that when using the Global tenant, going to Discover, Dashboard or Visualize will show this empty page:

There is also this error message shown in the logs when I move between Discover, Dashboard and Visualize sections of OpenSearch Dashboards:
{"type":"log","@timestamp":"2022-07-21T13:00:38Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/search] and User [name=planning, backend_roles=[], requestedTenant=]"}. I don’t understand what this log really means because even if I add the permission at the cluster level to the planning role, it changes absolutely nothing: I still get the very same error message.

How could I resolve the current issue I have? Any help would be greatly appreciated!

Thank you very much!

I did something similar last week, and just like you I couldnt find the uers. My idea was to give read access to 2 indexes. One with a restriction on the field ngnix_appname being the value myapp.
I started in the ui until I got it working. This is easier then trying to do it with the REST endpoint from the start. Below the result of the GET role request. Hope this helps

“Myapp” : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "filebeat-xyz*”
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read"
        ]
      },
      {
        "index_patterns" : [
          "filebeat-abc*”
        ],
        "dls" : """{
    "bool": {
        "must": {
            "match": {
            "nginx_appname": “my app”
            }
        }
    }
}""",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

Thank you for the response @drBenway ! I ended up just taking several hours to test things to help me figure out how permissions worked and how tenants worked. I believe I ended up being all set maybe 1-2 weeks after I sent this question here.

Hi @davidlag,

Can you give us more details on how you figure out how permissions work? Maybe a small example like the one that @drBenway gave, to clarify this, because it is really important to understand it, and the documentation is not clear about.

Thanks in advance.

Can someone help me too there. I am still facing similar issue. Can someone confirm me if Rest API works fine ? If you can dump sample user request and role request payload for same. Which works well ? @davidlag

Hello,

Same problem here, OpenSearch 2.2., no roles opensearch_dashboards_read_only and opensearch_dashboards_user do not exist

Regards.

Hey there, @davidlag

The only thing that helped me after endless hours of configuring is by simply adding kibana_user permissions to internal user in question and set permissions by adding dedicated group with priviliges.
Don’t forget to add roles to opendistro_security_roles, I can’t say what exactly is going on but I couldn’t access my indices without adding my group to opendistro_security_roles


 opendistro_security_roles:
  - "kibana_user"
  - "<<your_dedicated_group>>"
  backend_roles:
  - "kibana_user"
  - "<<your_dedicated_group>>"
my_role:
  reserved: false
  #hidden: false
  cluster_permissions:
  - 'cluster_composite_ops'
  index_permissions:
  - index_patterns: 
    - '*'
    allowed_actions:
    - '*'
  tenant_permissions: []
  static: false

The log means your role doesn’t have permission for indices you mentioned
Also it doesn’t display your backend your backend role which is rather concerning, if you configure internal users it’s always nice to have them set up in .yml files config.yml / internal_users.yml / roles.yml
If you configure all your users through api and restart security script every user configured through API will be erased Please bear that in mind

{"type":"log","@timestamp":"2022-07-21T13:00:38Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/search] and User [name=planning, backend_roles=[], requestedTenant=]"}. 

I think what you need is to add indices:data/read/search to allowed_actions if opensearch demands any more permissions like cluster:* or indices:*, monitor:* etc. you add them to allowed actions

{
  "planning" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops_ro"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "sip-pbx-usage-*",
          "sip-pbx-licenses-*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices:data/read/search"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "global_tenant"
        ],
        "allowed_actions" : [
          "kibana_all_read"
        ]
      }
    ],
    "static" : false
  }
}

Tag me in any case,
Yours,
Sam