Permission for creating OBO Token

nelson · July 11, 2025, 4:52pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch 3.0
Server OS - linux
running on k3s cluster
2 nodes (1 Master, 1 warm)
Cluster is green and works fine
Dashboard is healthy too

Describe the issue:
I am trying to set the right permission for creating OBO token by users. not sure what to use from the image below i can see this action security:obo/create but not sure what the permission will look like

Configuration:

Relevant Logs or Screenshots:

pablo · July 15, 2025, 3:37pm

@nelson You need to add missing permission security:obo/create to the role’s cluster permissions.

The below role example has the minimal permissions to create OBO token.

pablo:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:admin/opensearch/ql/datasources/read"
  - "indices:admin/template/get"
  - "security:obo/create"
  index_permissions:
  - index_patterns:
    - "*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:data/read/search"
    - "indices:admin/mappings/get"
    - "indices:admin/aliases/get"
  tenant_permissions: []
  static: false

Topic		Replies	Views
How to i get the permissions needed to run OBO token creation, i dont want to give admin permission OpenSearch	2	59	July 15, 2025
Opensearch Security Permissions Not Found Security	1	332	November 29, 2023
Observability dashboard Observability	5	100	February 7, 2025
Restrict access exclusively to 1 index Security discuss , configure	7	1605	August 9, 2024
Roles and permissions - view dashboards Security	8	1177	June 4, 2024

Permission for creating OBO Token

Related topics