Also followed some tips I found within this forum but they weren’t helpful.
What I’m trying to achieve:
Users should only have access to the following menus on the left: OpenSearch Dashboards (Overview, Discover, Dashboards and Visualize). Everything else (e.g. Observability, OpenSearch Plugins and Management) menus shall be hidden
Yep I’m using that list as baseline but none of them fulfilled my goal. Still doing some experiments and trial and error using that list as a starting point though.
@joaopfcruz Unfortunately the current version of the OpenSearch Dashboards allows for a read-only mode with Dashboards only enabled.
This can be achieved by defining a role in the below option in opensearch_dashbnoards.yml and assigning it to the individual users.
Please also be aware that read-only mode in OpenSearch Dashboards doesn’t mean that the user has read-only access to the data and other OpenSearch Dashboards objects.
Your read-only user should also contain a kibana_read_only role for OpenSearch Dashboards objects and any read-only roles suggested by @jasonrojas to prevent write access to indices.
For now I’ve sticked up with this for a readonly role:
Cluster permissions: cluster_composite_ops_ro
Index permissions: read for .kibana* indices and my actual data indices. (It turned out users needed read access to that system .kibana* index to read things like configurations, etc. (simple example: I turned on the dark mode in the OpenSearch advanced settings menu and readonly users could only get the dark mode effectively enabled after giving read permissions to that index)
Tenant permissions: Read only for the Global Tenant
With this I believe my users can search data and nothing more (like creating visualizations or dashboards. Which is fine for the moment). The only caveat is the fact they’re still able to access menus like “Management” or “Observability” although they can’t do nothing there (actually they are flooded with errors because the lack of permissions). That’s the only thing I would want to change. They should only be able to see the “Discover” menu.
Has a solution for this been implemented yet? I also created a read only user and they can only access discover page, but they can still see other pages in the UI which looks bad IMO.
I have followed your response and created a user with below permission but when i add FLS for one of the field “kubernetes.deployment.name” for testing purpose i am getting “500 internal server” but without adding FLS it worked perfectly.
User - logviewer
Role - finspuserrole
Cluster Permission - cluster_composite_ops
Index - log-finsp* , .kibana* , .opensearch_dashboards*
Index Permission - read Include - kubernetes.deployment.name
Tenant - global_tenant
I have followed your response and created a user with below permission but when i add FLS for one of the field “kubernetes.deployment.name” for testing purpose i am getting “500 internal server” but without adding FLS it worked perfectly.
User - logviewer
Role - finspuserrole
Cluster Permission - cluster_composite_ops
Index - log-finsp* , .kibana* , .opensearch_dashboards*
Index Permission - read Include - kubernetes.deployment.name
Tenant - global_tenant
can you please help how can i resolve this issue , let me know if you need any additional details from my end.