Minimum rights for the user used to connect Kibana with OpenSearch/OpenDistro ES

Hello,

I am trying to have a user in my opendistro kibana 1.13.2 , with minimal rights to be able and connect to Amazon Opensearch 7.10.2. I assigned the user the kibana_user role but im getting… note that I made copy of the kibana_user role and assigned it [indices:admin/get] for all “*” indices and still get the same error

{"type":"log","@timestamp":"2021-09-29T15:18:58Z","tags":["error","elasticsearch","data"],"pid":20,"message":"[security_exception]: no permissions for [indices:admin/get] and User [name=kibana-user, backend_roles=[], requestedTenant=null]"}

{
  "kibana_role" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_composite_ops",
      "cluster_monitor",
      "indices_monitor",
      "indices:admin/get"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          ".kibana",
          ".kibana-6",
          ".kibana_*",
          ".kibana*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "delete",
          "manage",
          "index"
        ]
      },
      {
        "index_patterns" : [
          ".tasks",
          ".management-beats"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      },
      {
        "index_patterns" : [
          "wazuh*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "index",
          "manage"
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "get",
          "manage",
          "indices_all"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

@antonisnyc
I am not able to reproduce your case.
Can you please select “View Roles and Identities” and confirm that the user is mapped correctly to this role, it should appear under Roles section.

Can you also confirm when exactly you seeing this error? What are you trying to view/edit, which index?

Hey @Anthony ,

The kibana is a brand new instance and the user never connected with ES before. The user is mapped to the role as seen below:

GET _opendistro/_security/api/rolesmapping/kibana_role

{
  "kibana_role" : {
    "hosts" : [ ],
    "users" : [
      "kibana-user"
    ],
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [ ],
    "and_backend_roles" : [ ]
  }
}

I am seeing this error under the kibana’s container logs. It’s the same error every 2 seconds…
{"type":"log","@timestamp":"2021-09-29T15:18:58Z","tags":["error","elasticsearch","data"],"pid":20,"message":"[security_exception]: no permissions for [indices:admin/get] and User [name=kibana-user, backend_roles=[], requestedTenant=null]"}

This is the kibana.yaml in case it helps.

            server.host: '0.0.0.0'

            elasticsearch.hosts: ['https://${ELASTICSEARCH_HOST}:443']
            kibana.index: ".kibana"

            elasticsearch.ssl.verificationMode: full # if not using HTTPS

            opendistro_security.auth.type: basicauth
            opendistro_security.auth.anonymous_auth_enabled: false
            opendistro_security.cookie.secure: false # set to true when using HTTPS
            opendistro_security.cookie.ttl: 3600000
            opendistro_security.session.ttl: 3600000
            opendistro_security.session.keepalive: false
            opendistro_security.readonly_mode.roles: ['kibana_read_only']
            opendistro_security.auth.unauthenticated_routes: []
            opendistro_security.basicauth.login.title: 'Please log in using your user name and password'
            opendistro_security.multitenancy.enabled: true
            opendistro_security.multitenancy.tenants.enable_global: true
            opendistro_security.multitenancy.tenants.enable_private: true
            opendistro_security.multitenancy.tenants.preferred: ["Global", "Private"]
            opendistro_security.multitenancy.enable_filter: false


            elasticsearch.username: '${kibana_user}'
            elasticsearch.password: '${kibana_pass}'
            elasticsearch.requestHeadersWhitelist: [ authorization, securitytenant, security_tenant, ]

@antonisnyc
The line below should refer to kibanaserver user, not kibana-user.

Kibana_server role is design for kibana to connect to elasticsearch/opensearch, kibana_user is for giving users access to use kibana.

Apart from the logs, are you seeing any errors in UI?

@Anthony
Hmm I was looking for a role to be able and connect the kibana instance to Opensearch… Would you have anything in mind? I cant connect to the UI, it just says “Kibana is loading”

Regards,
Tony

@antonisnyc there should already be a default kibana_server role that you can map the login to. By default any user with backend_role “kibanaserver” is mapped to it.

The role itself consists of the below:

kibana_server_copy:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_monitor"
  - "cluster_composite_ops"
  - "indices:admin/template*"
  - "indices:data/read/scroll*"
  index_permissions:
  - index_patterns:
    - ".kibana"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".kibana-6"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".kibana_*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".tasks"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".management-beats*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - "*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:admin/aliases*"
  tenant_permissions: []
  static: false

You would need a separate username and password for this access, and map it to this role.

Hope this helps

@Anthony

Thank you so much for your response!! Unfortunately, I still have the same error as before. Here you can see the role changes.

{
  "kibana_role" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_monitor",
      "cluster_composite_ops_ro",
      "indices:admin/template/get",
      "indices:admin/template/put",
      "indices:admin/template/delete",
      "indices:data/read/scroll",
      "indices:admin/get"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          ".kibana",
          ".kibana-6",
          ".kibana_*",
          ".kibana*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      },
      {
        "index_patterns" : [
          ".tasks",
          ".management-beats"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      },
      {
        "index_patterns" : [
          "wazuh*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "index",
          "manage"
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices:admin/aliases",
          "indices:admin/get"
        ]
      }
    ],
    "tenant_permissions" : [ ],
    "static" : false
  }
}

Also as you can see the kibanaserver role isn’t present… Note: the kibana with the screenshot is the one which comes with Amazon Opensearch

image1617×702 62.5 KB

@antonisnyc
It seems the tenant permissions are hardcoded somewhere in the code.

The role that you should use for kibana is:

kibana_server_new:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_monitor"
  - "cluster_composite_ops"
  - "indices:admin/template*"
  - "indices:data/read/scroll*"
  index_permissions:
  - index_patterns:
    - ".kibana"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".kibana-6"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".kibana_*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".tasks"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - ".management-beats*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - "*"
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:admin/aliases*"
  tenant_permissions: 
    - tenant_patterns:
      - '*'
      allowed_actions:
        - 'kibana_all_read'
  static: false

Can you try this and confirm he result?

Thank you so much @Anthony that solved the problem!