Hi,
I have a simple use case where I would like to give users access to specific indices (related index templates of the Global tenant as well) only to look at the data in OpenSearch Dashboards. I followed the instructions here: Users and roles - OpenSearch documentation
However, roles opensearch_dashboards_read_only
and opensearch_dashboards_user
do not exist and when I checked the current and even historical changes to the roles.yml
on GitHub (https://github.com/opensearch-project/security/blob/main/config/roles.yml) I couldn’t find anything related to these roles either.
I tried a lot of different things that didn’t work but right now, this is where I am. After some testing, I see this configuration allows me to access the indices I should have access to with the Private tenant but I cannot access anything of the Global tenant where the dashboard and visualizations are created, which is my problem. This is how the planning user is setup:
{
"planning" : {
"hash" : "",
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"planning"
],
"attributes" : { },
"opendistro_security_roles" : [ ],
"static" : false
}
}
This is how the planning role is setup:
{
"planning" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_composite_ops_ro"
],
"index_permissions" : [
{
"index_patterns" : [
"sip-pbx-usage-*",
"sip-pbx-licenses-*"
],
"dls" : "",
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"read"
]
}
],
"tenant_permissions" : [
{
"tenant_patterns" : [
"global_tenant"
],
"allowed_actions" : [
"kibana_all_read"
]
}
],
"static" : false
}
}
The role mapping configuration:
{
"planning" : {
"hosts" : [ ],
"users" : [
"planning"
],
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"planning"
],
"and_backend_roles" : [ ]
}
}
And the issue is that when using the Global tenant, going to Discover, Dashboard or Visualize will show this empty page:
There is also this error message shown in the logs when I move between Discover, Dashboard and Visualize sections of OpenSearch Dashboards:
{"type":"log","@timestamp":"2022-07-21T13:00:38Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/search] and User [name=planning, backend_roles=[], requestedTenant=]"}
. I don’t understand what this log really means because even if I add the permission at the cluster level to the planning role, it changes absolutely nothing: I still get the very same error message.
How could I resolve the current issue I have? Any help would be greatly appreciated!
Thank you very much!