Mapping new user to kibana_server

Hi,

I’m trying to map new user to built-in kibana_server role (instead of using kibanaserver user). But the permissions don’t seem to be mapping. Is this not allowed? Can you please help check if I’m missing something?

internal_users.yml

dashboardserver:
  reserved: true
  hash: "xxx"
  description: "Login for Opensearch-Dashboards"

roles_mapping.yml

kibana_server:
  reserved: true
  users:
  - "dashboardserver"

Error in opensearch.log

[2021-08-04T03:42:39,669][INFO ][audit ] [my.internal.url] {“audit_cluster_name”:“my-internal-url”,“audit_node_name”:“my.internal.url”,“audit_trace_task_id”:“yQO73t8nR6eCkXMXteibbA:267357”,“audit_transport_request_type”:“GetIndexRequest”,“audit_category”:“MISSING_PRIVILEGES”,“audit_request_origin”:“REST”,“audit_node_id”:“yQO73t8nR6eCkXMXteibbA”,“audit_request_layer”:“TRANSPORT”,“@timestamp”:“2021-08-04T10:42:39.668+00:00”,“audit_format_version”:4,“audit_request_remote_address”:“1.2.3.4”,“audit_request_privilege”:“indices:admin/get”,“audit_node_host_address”:“1.2.3.4”,“audit_request_effective_user”:“dashboardserver”,“audit_trace_indices”:[“.kibana”],“audit_trace_resolved_indices”:[“.kibana_1”],“audit_node_host_name”:“1.2.3.4”}

Appreciate your help.

Hello,

Can you please double-check if dashboardserver is indeed mapped to the kibana_server role?

GET _opendistro/_security/api/rolesmapping/kibana_server

@spapadop
Here’s the output. I think it looks ok?

{"kibana_server":{"hosts":[],"users":["dashboardserver"],"reserved":true,"hidden":false,"backend_roles":[],"and_backend_roles":[]}}

I’m using OpenSearch and Dashboards 1.0.0, btw. with the corresponding plugins in security.

@spapadop just kindly following up, would you have some idea on what might be wrong or missing?

Apologies I can’t think of anything else. Maybe you still need to give permissions to all tenants for user dashboardserver.
@pablo or @Anthony may have some better ideas.

For anyone looking at this ticket, ensure the username that is set up in elasticsearch.yml file under: elasticsearch.username: username matches the entry in config.yml under:

kibana:
    # Kibana multitenancy
      multitenancy_enabled: true
      server_username: username
      index: '.kibana'

Just to make this even more clear, it took me a while and various forum threads including this one and also this one to figure out what’s going on.

This is only needed if you want to change the open search dashboards username from kibanaserver to something else.

Assuming you’ve setup authentication (method doesn’t matter, can be basic auth or client cert) correctly, and the user itself works, there are two things that need to be done:

1. Assign proper permissions
2. Change the Dashboards Username in Opensearch (!) settings

For 1, it is usually sufficient to use the built-in kibana_server role. In my case, a role_mapping such as the following is sufficient:

kibana_server:
      reserved: true
      users:
        - 'CN=xyz,OU=xxx,O=xxx'

The second one, and that’s probably what most people forget, and what @Anthony mentioned above - you need to change the single username that is used for Kibana / Opensearch Dashboards in opensearch-security config.yml:

config:
  dynamic:
    kibana:
      server_username: 'CN=xyz,OU=xxx,O=xxx'
    authc:
      ... your settings