Permission set for a readonly role


Using OpenSearch 2.9 engine here (within AWS domain (not serverless)

I’m struggling to find the correct set of permissions for a readonly role to map to my regular non-admin users.

I followed this guide (Users and roles - OpenSearch documentation) but it wasn’t effective. With that role the user could not access anything.

Also followed some tips I found within this forum but they weren’t helpful.

What I’m trying to achieve:

  • Users should only have access to the following menus on the left: OpenSearch Dashboards (Overview, Discover, Dashboards and Visualize). Everything else (e.g. Observability, OpenSearch Plugins and Management) menus shall be hidden
  • Users should only be able to:
  • Run queries (Discover)
  • See the dashboards

And nothing else.

Any help would be greatly appreciated!

There are a few default read_only roles that may be helpful

Yep I’m using that list as baseline but none of them fulfilled my goal. Still doing some experiments and trial and error using that list as a starting point though.


@joaopfcruz Unfortunately the current version of the OpenSearch Dashboards allows for a read-only mode with Dashboards only enabled.
This can be achieved by defining a role in the below option in opensearch_dashbnoards.yml and assigning it to the individual users.

opensearch_security.readonly_mode.roles: ["read_only"]

Please also be aware that read-only mode in OpenSearch Dashboards doesn’t mean that the user has read-only access to the data and other OpenSearch Dashboards objects.

Your read-only user should also contain a kibana_read_only role for OpenSearch Dashboards objects and any read-only roles suggested by @jasonrojas to prevent write access to indices.

Thanks for the inputs @pablo.

For now I’ve sticked up with this for a readonly role:

  • Cluster permissions: cluster_composite_ops_ro
  • Index permissions: read for .kibana* indices and my actual data indices. (It turned out users needed read access to that system .kibana* index to read things like configurations, etc. (simple example: I turned on the dark mode in the OpenSearch advanced settings menu and readonly users could only get the dark mode effectively enabled after giving read permissions to that index)
  • Tenant permissions: Read only for the Global Tenant

With this I believe my users can search data and nothing more (like creating visualizations or dashboards. Which is fine for the moment). The only caveat is the fact they’re still able to access menus like “Management” or “Observability” although they can’t do nothing there (actually they are flooded with errors because the lack of permissions). That’s the only thing I would want to change. They should only be able to see the “Discover” menu.