Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Version : 2.7.0
Describe the issue:
I have an error indicating that the user “client1” does not have the necessary permissions to perform the “indices:data/read/search” action in OpenSearch. The user is associated with the “client1_role” backend role.
Configuration:
here’s my opensearch.yml file :
plugins.security.disabled: “false”
plugins.security.ssl.transport.pemcert_filepath: node1.pem
plugins.security.ssl.transport.pemkey_filepath: node1-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: false
plugins.security.ssl.http.pemcert_filepath: node1.pem
plugins.security.ssl.http.pemkey_filepath: node1-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem
plugins.security.authcz.admin_dn:
- ‘CN=A,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
plugins.security.nodes_dn: - ‘CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
- ‘CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA’
plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”, “client1_role”]
And here’s my opensearch_dashboards.yml file
opensearch.hosts: [“http://localhost:9200”]
opensearch.ssl.verificationMode: none
opensearch.username: “admin”
opensearch.password: “admin”
#opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]
server.ssl.enabled: false
#server.ssl.certificate: “path/to///client.pem”
#server.ssl.key: “path/to/client-key.pem”
#opensearch.ssl.certificateAuthorities: [“path/to/root-ca.pem”]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opensearch_security.readonly_mode.roles: [“kibana_read_only”]
opensearch_security.cookie.secure: false
Relevant Logs or Screenshots:
log [13:22:01.337] [error][plugins][securityDashboards] StatusCodeError: Authorization Exception
at respond (C:\Users\w133790\dashboard\opensearch-dashboards-2.7.0\node_modules\elasticsearch\src\lib\transport.js:349:15)
at checkRespForFailure (C:\Users\w133790\dashboard\opensearch-dashboards-2.7.0\node_modules\elasticsearch\src\lib\transport.js:306:7)
at HttpConnector. (C:\Users\w133790\dashboard\opensearch-dashboards-2.7.0\node_modules\elasticsearch\src\lib\connectors\http.js:173:7)
at IncomingMessage.wrapper (C:\Users\w133790\dashboard\opensearch-dashboards-2.7.0\node_modules\lodash\lodash.js:4991:19)
at IncomingMessage.emit (events.js:412:35)
at IncomingMessage.emit (domain.js:475:12)
at endReadableNT (internal/streams/readable.js:1333:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21) {
status: 403,
displayName: ‘AuthorizationException’,
path: ‘/_plugins/_security/tenantinfo’,
query: {},
body: undefined,
statusCode: 403,
response: ‘’,
toString: [Function (anonymous)],
toJSON: [Function (anonymous)]
}
log [13:22:01.344] [warning][environment] Detected an unhandled Promise rejection.
Authorization Exception :: {“path”:“/_plugins/_security/tenantinfo”,“query”:{},“statusCode”:403,“response”:“”}
log [13:22:01.346] [info][server][OpenSearchDashboards][http] http server running at http://localhost:5601
…(then when i login with the client user i get this)
log [13:22:35.489] [error][data][opensearch] [security_exception]: no permissions for [indices:data/read/search] and User [name=client1, backend_roles=[client1_role], requestedTenant=null]