Opensearch Security - Read only Role


I am trying to setup Opensearch to study feasibility of implementing read only access to couple of dashboards. I followed the steps as given here but I get “Application Not found” error.

Even some of the forum topics discuss that but the file they refer in github does not exist.

Here is the snippet of what i tried.

  1. logged with admin/admin
  2. created a sample dashboard with Ecommerce Revenue dashboard
  3. created read only role “osreader” with below parameters/mapping
    cluster-permissions : all read permissions(indices:read, get, search* etc*) including cluster_composite_ops_ro
    index permissions : opensearch* (which is the default index for the ecommerce dashboard and available in index patterns page)
  4. No Tenant selected
    5 .mapped role to “osviewer” user for which i have selected osreader as backend role. and added osviewer user to other read only roles(kibana_user, kibana_read_only, readall)
  5. I login with “osviewer” user
  6. login successful, gets only dashboard in the menu
  7. when I click dashboard, I get “Application Not Found” error.
  8. when I view the roles and Identities for the user from the UI, it lists below

Backend roles(1)

Still i get Application Not found error, what is the process to get this corrected? what all other permissions/roles am I missing here?

Is it possible for readonly user to view a dashboard created by admin? Even if it displays, is there a option to NOT to have “Edit” button for the dashboard?

Using the latest Opensearch version


Moving this to the security category.

Do you have multitenancy enabled?
If so, in order to achieve what you are looking for, you would need to make sure that:

  1. dashboards are saved by admin in global tenant
  2. osreader role includes tenant read permission for global tenant.
  3. unmap the kibana_user from osviewer. osreader role is now enough.

The edit button will still appear (this is a limitation), but the user will not be able to save any changes.

N.B. If you see “Application Not Found” error, please post the url bar here.

@Anthony ,
My responses below

  1. Have not enabled multi tenancy after installation. I can see the current tenant selected is global in Security → Tenants. When i clicke View Dashboard in global tenant I can see the sample dashboard
    I can see another tenant admin_tenant listed but not sure if it is created by default
  2. Is there a tenant read permission that I have to enable>
  3. ok sure

I get below in the URL when hitting dashboard using osviewer login
banner message = To visualize and explore data, you must create index pattern to retrieve data
osviewer is listed as private user when I click “roles and Identities”, should be be global user? if yes, how?

Interestingly, when I share the dashboard as snapshot / permalink , they can login with osviewer credential and view the dashboard and playaround.

They were not able to save the changes if they do EDIT, which is fine.
but when they log out and log back in with osviewer and click dashboard → they get Application not found error again.

@guhan if you see multiple tenants it would indicate you have multitenancy enabled, can you share your config.yml and kibana.yml, can you also confirm which odfe/opensearch version you are using.

Hi Antony,

Will check and let you know. Is there a command that I can run to check the version? I pulled it from our org repository.

@guhan you can “cat” in /usr/share/elasticsearch/plugins/opendistro_security, assuming you are running opendistro.

@Anthony ,
Sorry for the late reply as I got into some issues. I could not find /usr/share/opensearch or /usr/share/elasticsearch, but I see in the opensearch log with this path, is the folder hidden?

@guhan How are you running openSearch, is it via docker-compose, Kubernetes or an tar.gz? If you are using docker/k8s the path should be as mentioned above, however if you are running tar.gz, then naturally the path will be based on your current working directory.

@Anthony ,
I followed the same steps as given in the Opensearch installation page, and ran it via docker-compose up command
when I ran this command, I copy pasteed the log and there I can see this path for open search node, eg: [opensearch-node2] JVM home [/usr/share/opensearch/jdk],

@guhan You will need to connect to the container and view the file in the path I supplied.

docker exec -it opensearch-node2 bash
cat /usr/share/elasticsearch/plugins/opendistro_security/

@Anthony ,
Ah thanks, I am newbie to all these stuff, thanks for the command

@Anthony ,
I ran the command but I get file or directory not found, when I run ls I get below folders/files inside the docker

Sorry the path for opensearch is:


But I dont see the /usr path at all, here is the snapshot of ls inside docker

ok I got the info inside plugins folder

@Anthony ,
I was also going through setting up ldap/ad auth from page and it says we have to modify config.yml file for authx and authz.

Even if we modify it, will saving inside docker reflect the change? If we run docker-compose up command again, will it be reverted back to original state?

The files need to be modified and mapped via volumes in docker-compose.yml, see example below:

        soft: -1
        hard: -1
        soft: 65536
        hard: 65536
      - opensearch-data2:/usr/share/opensearch/data
      - ./node1-key.pem:/usr/share/opensearch/config/node-key.pem
      - ./node1.pem:/usr/share/opensearch/config/node.pem
      - ./admin-key.pem:/usr/share/opensearch/config/admin-key.pem
      - ./admin.pem:/usr/share/opensearch/config/admin.pem
      - ./root-ca.pem:/usr/share/opensearch/config/root-ca.pem
      - ./internal_users.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
      - ./roles_mapping.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
      - ./tenants.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
      - ./roles.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
      - ./config.yml:/usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
      - ./opensearch.yml:/usr/share/opensearch/config/opensearch.yml

PM me for further details and examples of complete files.

Sure, thanks,
Is the version info correct? What is the id to send PM? is all the files mentioned here are required to be mounted?

I sent you another PM