Permission set for a readonly role

joaopfcruz · October 27, 2023, 8:51am

Hello,

Using OpenSearch 2.9 engine here (within AWS domain (not serverless)

I’m struggling to find the correct set of permissions for a readonly role to map to my regular non-admin users.

I followed this guide (Users and roles - OpenSearch documentation) but it wasn’t effective. With that role the user could not access anything.

Also followed some tips I found within this forum but they weren’t helpful.

What I’m trying to achieve:

Users should only have access to the following menus on the left: OpenSearch Dashboards (Overview, Discover, Dashboards and Visualize). Everything else (e.g. Observability, OpenSearch Plugins and Management) menus shall be hidden
Users should only be able to:
Run queries (Discover)
See the dashboards

And nothing else.

Any help would be greatly appreciated!
JC

jasonrojas · October 27, 2023, 4:48pm

There are a few default read_only roles that may be helpful https://github.com/opensearch-project/security/blob/main/config/roles.yml

joaopfcruz · October 27, 2023, 5:55pm

Yep I’m using that list as baseline but none of them fulfilled my goal. Still doing some experiments and trial and error using that list as a starting point though.

Thanks!

pablo · October 31, 2023, 10:54am

@joaopfcruz Unfortunately the current version of the OpenSearch Dashboards allows for a read-only mode with Dashboards only enabled.
This can be achieved by defining a role in the below option in opensearch_dashbnoards.yml and assigning it to the individual users.

opensearch_security.readonly_mode.roles: ["read_only"]

Please also be aware that read-only mode in OpenSearch Dashboards doesn’t mean that the user has read-only access to the data and other OpenSearch Dashboards objects.

Your read-only user should also contain a kibana_read_only role for OpenSearch Dashboards objects and any read-only roles suggested by @jasonrojas to prevent write access to indices.

joaopfcruz · October 31, 2023, 9:22pm

Thanks for the inputs @pablo.

For now I’ve sticked up with this for a readonly role:

Cluster permissions: cluster_composite_ops_ro
Index permissions: read for .kibana* indices and my actual data indices. (It turned out users needed read access to that system .kibana* index to read things like configurations, etc. (simple example: I turned on the dark mode in the OpenSearch advanced settings menu and readonly users could only get the dark mode effectively enabled after giving read permissions to that index)
Tenant permissions: Read only for the Global Tenant

With this I believe my users can search data and nothing more (like creating visualizations or dashboards. Which is fine for the moment). The only caveat is the fact they’re still able to access menus like “Management” or “Observability” although they can’t do nothing there (actually they are flooded with errors because the lack of permissions). That’s the only thing I would want to change. They should only be able to see the “Discover” menu.

JC

Topic		Replies	Views
Opensearch readonly user creation OpenSearch	9	396	October 5, 2023
Read Only Accounts Security configure	5	230	February 14, 2024
Opensearch Security - Read only Role Security	19	1036	September 20, 2021
Looking for support to create a read-only user with existing documentation Reporting Plugin troubleshoot , configure	6	854	September 15, 2022
Roles and users Security configure	2	379	April 27, 2022

Permission set for a readonly role

Related Topics