On applying DLS in role configuraiton, not able to see index pattern and dashboard details

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Open Search and Dashboard 2.15

Describe the issue:

When i am adding document level security in the role for the logged in user, i am not able to see the index pattern and thus dashboard for non-admin user. Please find the error and role configuration.
Error:
log [12:58:14.758] [error][data][opensearch] [security_exception]: no permissions for [indices:data/write/index, indices:data/write/bulk[s]] and User [name=supplier-user-ro, backend_roles=[epcis_Index_ro], requestedTenant=]

Role configuration

{
  "cluster_permissions": [
    "indices:data/write/bulk",
    "cluster_composite_ops_ro",
    "cluster:admin/opendistro/ism/policy/search",
    "cluster:monitor/state",
    "cluster:monitor/health",
    "cluster_composite_ops"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "epcis*",
        ".kibana*"
      ],
      "allowed_actions": [
        "read",
        "indices:monitor/settings/get",
        "indices:monitor/stats",
        "monitor",
        "indices:admin/data_stream/get",
        "indices:monitor/recovery",
        "indices:data/read/get",
        "indices:data/read/search",
        "indices:data/write/index",
        "indices:data/write/bulk"
      ],
      "dls": "{\"term\": {\"billto_gln\": \"0847976000045\"}}"
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": ["global_tenant"],
      "allowed_actions": ["kibana_all_write", "kibana_all_read"]
    }
  ]
}

Can somebody guide me what is wrong or how to resolve this issue. Basic intention is that logged in user should see the document details corresponding to DLS applied in the dash board.

Configuration:

Relevant Logs or Screenshots:

2

Hi @jinoinfo,

Would you mind running the below and sharing the output:

GET _plugins/_security/api/roles/epcis_Index_ro

Best,
mj

3

@jinoinfo Your DLS query is applied to both .kibana* and epics* patterns.

Try the below instead.

test_role1:
  reserved: false
  hidden: false
  cluster_permissions:
  - "indices:data/write/bulk"
  - "cluster_composite_ops_ro"
  - "cluster:admin/opendistro/ism/policy/search"
  - "cluster:monitor/state"
  - "cluster:monitor/health"
  - "cluster_composite_ops"
  index_permissions:
  - index_patterns:
    - "epcis*"
    dls: "{\"term\": {\"billto_gln\": \"0847976000045\"}}"
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
    - "indices:monitor/settings/get"
    - "indices:monitor/stats"
    - "monitor"
    - "indices:admin/data_stream/get"
    - "indices:monitor/recovery"
    - "indices:data/read/get"
    - "indices:data/read/search"
    - "indices:data/write/index"
    - "indices:data/write/bulk"
  - index_patterns:
    - ".kibana*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_write"
  static: false
4

@Mantas : Please find the response to the above command
{
“epcis_Index_ro”: {
“reserved”: false,
“hidden”: false,
“cluster_permissions”: [
“cluster:monitor/state”,
“cluster:monitor/health”,
“cluster:admin/opendistro/ism/policy/search”
],
“index_permissions”: [
{
“index_patterns”: [
“epcis_index*”,
“.kibana*”
],
“dls”: “”“{“term”: {“billto_gln”: “0847976000045”}}”“”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices:data/read/get”,
“indices:data/read/search”,
“indices:data/write/index”,
“indices:data/write/bulk”,
“indices:monitor/settings/get”,
“indices:monitor/stats”,
“indices:monitor/recovery”,
“indices:admin/mapping/put”,
“indices:admin/mappings/get”,
“indices:admin/aliases/get”,
“indices:admin/aliases/exists”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“global_tenant”
],
“allowed_actions”: [
“kibana_all_write”,
“kibana_all_read”
]
}
],
“static”: false
}
}

5

If i don’t try to configure dls ( as mentioned by you in the above) it works fine for me. All the issues are coming when i add dls in the role. I am trying to add document level filtering by adding dls, which is giving security related errors in which mentioned permissions are already configured

6

Hi @jinoinfo,

As per @pablo comment, you should separate the index pattern you are applying DLS from .kibana index pattern, i.e:

epcis_Index_ro:
  cluster_permissions:
  - <list of permissions>
  - <list of permissions>
  index_permissions:
  - index_patterns:
    - "epcis*"
    dls: "<DLS condition>"
    allowed_actions:
    - <list of permissions>
    - <list of permissions>
    - <list of permissions>    
  - index_patterns:
    - ".kibana*"
    allowed_actions:
    - <list of permissions>
    - <list of permissions>
    - <list of permissions>    
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - “kibana_all_write”
    - “kibana_all_read”

best,
mj

7

Thanks @Mantas /@pablo ; My issues almost resolved with the above suggestions.
Now , non-admin user is able to see the dashboard with dls applied on it. I greatly appreciate your help.
Only outstanding issue there in the logs i am seeing the below error… though those permissions i configured for both the indices and also in cluster level. It is not impacting my dahsboard behavior though.

  log   [13:29:15.146] [error][data][opensearch] [security_exception]: no permissions for [indices:admin/mappings/get] and User [name=supplier-user-ro, backend_roles=[epcis_index_ro], requestedTenant=]
  log   [13:29:15.149] [error][data][opensearch] [security_exception]: no permissions for [indices:admin/aliases/get] and User [name=supplier-user-ro, backend_roles=[epcis_index_ro], requestedTenant=]

Latest role mapping is below.

{
  "cluster_permissions": [
    "cluster:monitor/state",
    "cluster:monitor/health",
    "cluster:admin/opendistro/ism/policy/search",
    "cluster_composite_ops_ro",
    "cluster:admin/opensearch/ql/datasources/read",
    "cluster:admin/opensearch/observability/get",
    "indices:admin/template/get",
    "indices:admin/mappings/get",
    "indices:admin/aliases/get"
    
   ],
  "index_permissions": [
    {
      "index_patterns": [
        "epcis*"
      ],
      "dls": "{\"term\": {\"billto_gln\": \"0847976000045\"}}",
      "allowed_actions": [
        "indices:data/read/get",
        "indices:data/read/search",
        "indices:data/write/index",
        "indices:data/write/bulk",
        "indices:monitor/settings/get",
        "indices:monitor/stats",
        "indices:monitor/recovery",
        "indices:admin/mapping/put",
        "indices:admin/mappings/get",
        "indices:admin/aliases/get",
        "indices:admin/aliases/exists",
        "indices:admin/template/get"
      ]
    },
    {
      "index_patterns": [
        ".kibana*"
      ],
      "allowed_actions": [
        "indices:data/read/get",
        "indices:data/read/search",
        "indices:data/write/index",
        "indices:data/write/bulk",
        "indices:monitor/settings/get",
        "indices:monitor/stats",
        "indices:monitor/recovery",
        "indices:admin/mapping/put",
        "indices:admin/mappings/get",
        "indices:admin/aliases/get",
        "indices:admin/aliases/exists",
        "indices:admin/template/get",
        "indices:data/read/mget[shard]"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_write",
        "kibana_all_read"
      ]
    }
  ]
}
8

@jinoinfo What action do you perform in the Opensearch Dashboards UI when you get this error?

9

@pablo : Looks to be some cache issue was causing this issue probably. I am not seeing those errors right now… Everything looks good.
THanks a lot for your help and follow up

1 Like