While deploying my opensearch cluster, a custom internal user for monitoring purpose with custom role by putting the user spec in internal_users.yml file. But user is not being created. Below are the details
Hello @pablo Thanks for your quick response. I am deploying through helm, so manually not updating those files and reload securityadmin.sh. But no suspicious error messages in logs. Opensearch version - 1.3.0
# Allows prometheus users to get the metrics
prometheus:
reserved: false
cluster_permissions:
- "cluster:monitor/health"
- "cluster:monitor/nodes/stats"
- "cluster:monitor/state"
- "cluster:monitor/nodes/info"
- "cluster:monitor/prometheus/metrics"
[opensearch@observability-opensearch-master-0 ~]$ curl -k https://0:9200/_prometheus/metrics -u prometheus:password-a
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:monitor/stats] and User [name=prometheus, backend_roles=[prometheus], requestedTenant=null]"}],"type":"exception","reason":"Indices stats request failed","caused_by":{"type":"security_exception","reason":"no permissions for [indices:monitor/stats] and User [name=prometheus, backend_roles=[prometheus], requestedTenant=null]"}},"status":500}
Do I need to create one permissions group and attach with the role. Any suggestion please.
@kksaha Permissions group would only group your existing permissions but wouldn’t change the behaviour. Adding indices:monitor/stats is the solution as that is what OpenSearch was requesting in the logs.
When there are missing permissions, OpenSearch should always report it in its logs.