Permissions & Channels

OpenSearch
1

Versions 3.6

Describe the issue:

For users to access channels, we have to give cluster:admin/opensearch/notifications/*, This gives them more permissions like deleting the channel and creating new channels.

Email or Slack Channels. If we have a need to 10 different distribution list, do we need to create 10 different email channels ? or do we need to think about switching to workspace.

Index patterns or Data stream visibility: As an admin, I can see only indices but cannot see datastream. As a regular user, the user cannot see anything. The user does have an option to specify the index pattern.

Configuration:

Relevant Logs or Screenshots:

2

@muraliv thank you for the question. Regarding the channels. Have you tried the following role for readonly users of the channels:

notif_limited_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:admin/opensearch/notifications/configs/get"
  - "cluster:admin/opensearch/notifications/channels/get"
  - "cluster:admin/opensearch/notifications/features/get"
  - "cluster:admin/opensearch/notifications/feature/get"
  index_permissions: []
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_read"
  static: false

Testing locally (also with kibana_user role mapped) the users are able to see the channel, but not edit or delete. If this doesn’t work for you. Can you please describe the behaviour you are seeing and provide the logs with errors (if any).

Regarding the 10 different distribution lists, have you tried using Email recipient groups in the notification section? Does this not work for your use case? Can you elaborate please.

The data stream situation is somewhat strange, since default admin user should be able to see the data streams. Can you provide the errors you are getting when trying to query the data stream using the API? Or provide the exact steps and configuration you are using to create the data streams and roles/permissions mapped to the admin user in the View roles and identities section.

3

Hi Anthony,

Thanks for the quick response. I created a group permission named as cluster_admin_notifications_readonly and here is the info for this group permission.

{
  "cluster_admin_notifications_readonly": {
    "reserved": false,
    "hidden": false,
    "allowed_actions": [
      "cluster:admin/opensearch/notifications/channels/get",
      "cluster:admin/opensearch/notifications/configs/get",
      "cluster:admin/opensearch/notifications/features",
      "cluster:admin/opensearch/notifications/feature/send",
      "cluster:admin/opensearch/notifications/test_notification"
    ],
    "static": false
  }
}

Details for jeev_custom_role.

{
  "jeev_custom_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops",
      "cluster:admin/opendistro/alerting/*",
      "cluster_admin_notifications_readonly"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "logs-apigee*",
          ".kibana",
          ".kibana-6",
          ".kibana_*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "indices:admin/mappings/get",
          "indices_monitor",
          "indices:admin/aliases/get",
          "indices:data/read/field_caps*"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "jeev"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

When I login as the local user and I do not see any channels in the trigger section.

10 different recipient groups. The use case is to have one email channel and the ability to use this channel across 10 different alerts within a tenant space. I do not see an option to change the recipient group when I select the email channel from the drop down.

data stream visibility. I am trying to select from the Alerts or Monitor module and when I click on the drop down, I see only indices and no data streams. No errors when I click on the drop down. Steps are as follows.

Monitor → Create Monitor → Scroll down → Click on drop below Indexes.

4

@muraliv I am not able to reproduce this. In my case the test user is able to see the channls created. Would you be able to provide your configuration files (opensearch.yaml and opensearch_dashboards.yaml) and security configuration files, by extracting the latest configuration using securityadmin.sh with -r parameter? Please redact any sensitive details

5

Hi Anthony,

Do you want me to share the opensearch.yml file from the cluster manager ? or any node ?

Thanks

Murali

6

@muraliv Please share both

7

Hi Anthony,

Here are the yml files for dashboards, warm node & a cluster manager. What is the exact command that I need to run with -r option ? Run the security admin script as this ?.

export OPENSEARCH_JAVA_HOME=/usr/share/opensearch/jdk; /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh   -r /etc/opensearch/opensearch-security/   -icl   -nhnv   -cacert /etc/opensearch/certs/admin-lob-osdev-chained.pem   -cert /etc/opensearch/certs/admin-lob-osdev-chained.pem   -key /etc/opensearch/certs/admin-lob-osdev-key.pem   -h localhost.

dashboards.yml
==============
# OpenSearch Dashboards configuration
# Documentation: https://opensearch.org/docs/latest/install-and-configure/install-dashboards/

# Specifies the address to which the OpenSearch Dashboards server will bind.
server.host: 0.0.0.0

# The OpenSearch Dashboards server's name. Used for display purposes.
server.name: "host1.ebiz.mydomain.com"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files.
server.ssl.enabled: true
server.ssl.certificate: "/etc/opensearch/certs/mycerts-chained.pem"
server.ssl.key: "/etc/opensearch/certs/mycerts-key.pem"

# The URLs of the OpenSearch instances to use for all queries.
opensearch.hosts: ['https://search-lob-osdev.ebiz.mydomain.com:443']

# Authentication credentials for the OpenSearch Dashboards server to connect to OpenSearch.
# Uses the internal admin user. For a dedicated dashboards user, create one via
# the security plugin and reference it here instead.
opensearch.username: "kibanaserver"

# TLS settings for the connection between Dashboards and OpenSearch.
opensearch.ssl.verificationMode: full
opensearch.ssl.certificateAuthorities: ["/etc/opensearch/certs/mycerts-chained.pem"]

# Logging configuration
logging.dest: /apps/opt/application/opensearch-dashboards/logs/opensearch_dashboards.log
logging.verbose: true

# Specifies the path where Dashboards stores data.
path.data: "/apps/opt/application/opensearch-dashboards"
pid.file: "/run/opensearch-dashboards/opensearch-dashboards.pid"

# OpenSearch Security plugin settings for Dashboards
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["admin_tenant"]
opensearch_security.multitenancy.tenants.enable_global: false
opensearch_security.multitenancy.tenants.enable_private: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]


# Cookie-based session management
opensearch_security.cookie.secure: true
opensearch_security.cookie.password: "password1234"
opensearch_security.cookie.ttl: 21600000

# Session TTL
opensearch_security.session.ttl: 21600000
opensearch_security.session.keepalive: True

# ---------------------------------------------------------------------------
# Request headers
# ---------------------------------------------------------------------------
opensearch.requestHeadersAllowlist:
  - authorization
  - securitytenant

# ---------------------------------------------------------------------------
# Saved-objects import limits
# ---------------------------------------------------------------------------
savedObjects.maxImportPayloadBytes: 26843545

# enable explorer
explore.enabled: true

================================
opensearch yml file for warm node
================================


# ======================== OpenSearch Configuration ============================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: lob-osdev-cluster

# Cluster fault detection settings
cluster.fault_detection.follower_check.timeout: 10s
cluster.fault_detection.follower_check.retry_count: 5
cluster.fault_detection.follower_check.interval: 30s
cluster.fault_detection.leader_check.timeout: 10s

# Fix audit index creation:
# OpenSearch 3.x Audit Storage Configuration
plugins.security.audit.type: internal_opensearch_data_stream

#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: host2.ebiz.domain.com
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /apps/opt/application/opensearch
#
# Path to log files:
#
path.logs: /apps/opt/application/opensearch/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default OpenSearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default OpenSearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#


discovery.seed_hosts: [ host3.ebiz.domain.com, host4.ebiz.domain.com, host5.ebiz.domain.com ]

#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY CONFIGURATION --------------------------
#
# OpenSearch Security Plugin Configuration
#
# NOTE: LDAP/AD authentication is configured in opensearch-security/config.yml
#       and applied via securityadmin.sh, NOT in this file.
#
# ------------------------------------------------------------------------------

# Enable OpenSearch Security plugin
plugins.security.disabled: false

# Enable encryption for HTTP API client connections (Dashboards, Logstash, Agents)
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemkey_filepath: certs/elm-lob-osdev-key.pem
plugins.security.ssl.http.pemcert_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/elm-lob-osdev-chained.pem

# Enable encryption and mutual authentication between cluster nodes
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemkey_filepath: certs/elm-lob-osdev-key.pem
plugins.security.ssl.transport.pemcert_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

# Distinguished names of certificates allowed to act as admin
plugins.security.authcz.admin_dn:
  - "CN=admin-lob-osdev.ebiz.domain.com,O=domain Data Services LLC,L=Tampa,ST=Florida,C=US"

# Distinguished names of nodes certificates
plugins.security.nodes_dn:
  - "CN=elm-lob-osdev.ebiz.domain.com,O=domain Data Services LLC,L=Tampa,ST=Florida,C=US"

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
# http.host: 0.0.0.0  # Redundant - covered by network.host above

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
# transport.host: 0.0.0.0  # Redundant - covered by network.host above

# Disable host resolution for performance
plugins.security.ssl.transport.resolve_hostname: false

# Disable demo certificates
plugins.security.allow_unsafe_democertificates: false

# Enable Security REST API for role mapping management
plugins.security.restapi.roles_enabled: ["all_access"]

#----------------------- END SECURITY CONFIGURATION ----------------------------

## OpenSearch Node Roles
node.roles: [ warm ]

## Warm Node Specific Settings
## not needed since OS defaults to 80%
## if we do need it then move to vars since the vols vary between clusters -- jtb
######node.search.cache.size: 1500gb
####
## Object storage additional client settings
s3.client.osdev-lob-hvuv-ism.endpoint: s3repo.domain.com
s3.client.osdev-lob-hvuv-ism.path_style_access: true
s3.client.osdev-lob-hvuv-ism.region: us-east-1
# S3 client endpoints are added dynamically by the configure_object_storage playbook
# via lineinfile when repositories are created. Do not add them here.

=======================================
opensearch yml file for cluster manager
=======================================

#######################  Managed by Ansible  ##############################


# ======================== OpenSearch Configuration ============================
#
# NOTE: OpenSearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://opensearch.org/docs/latest/install-and-configure/configuring-opensearch/
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: lob-osdev-cluster

# Cluster fault detection settings
cluster.fault_detection.follower_check.timeout: 10s
cluster.fault_detection.follower_check.retry_count: 5
cluster.fault_detection.follower_check.interval: 30s
cluster.fault_detection.leader_check.timeout: 10s

# Fix audit index creation:
# OpenSearch 3.x Audit Storage Configuration
plugins.security.audit.type: internal_opensearch_data_stream

#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: host3.ebiz.domain.com
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /apps/opt/application/opensearch
#
# Path to log files:
#
path.logs: /apps/opt/application/opensearch/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# OpenSearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default OpenSearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default OpenSearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#


discovery.seed_hosts: [ host3.ebiz.domain.com, host4.ebiz.domain.com, host5.ebiz.domain.com ]

#
# Bootstrap the cluster using an initial set of cluster-manager-eligible nodes:
#
#cluster.initial_cluster_manager_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY CONFIGURATION --------------------------
#
# OpenSearch Security Plugin Configuration
#
# NOTE: LDAP/AD authentication is configured in opensearch-security/config.yml
#       and applied via securityadmin.sh, NOT in this file.
#
# ------------------------------------------------------------------------------

# Enable OpenSearch Security plugin
plugins.security.disabled: false

# Enable encryption for HTTP API client connections (Dashboards, Logstash, Agents)
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemkey_filepath: certs/elm-lob-osdev-key.pem
plugins.security.ssl.http.pemcert_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.http.pemtrustedcas_filepath: certs/elm-lob-osdev-chained.pem

# Enable encryption and mutual authentication between cluster nodes
plugins.security.ssl.transport.enabled: true
plugins.security.ssl.transport.pemkey_filepath: certs/elm-lob-osdev-key.pem
plugins.security.ssl.transport.pemcert_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: certs/elm-lob-osdev-chained.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

# Distinguished names of certificates allowed to act as admin
plugins.security.authcz.admin_dn:
  - "CN=admin-lob-osdev.ebiz.domain.com,O=domain Data Services LLC,L=Tampa,ST=Florida,C=US"

# Distinguished names of nodes certificates
plugins.security.nodes_dn:
  - "CN=elm-lob-osdev.ebiz.domain.com,O=domain Data Services LLC,L=Tampa,ST=Florida,C=US"

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
# http.host: 0.0.0.0  # Redundant - covered by network.host above

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
# transport.host: 0.0.0.0  # Redundant - covered by network.host above

# Disable host resolution for performance
plugins.security.ssl.transport.resolve_hostname: false

# Disable demo certificates
plugins.security.allow_unsafe_democertificates: false

# Enable Security REST API for role mapping management
plugins.security.restapi.roles_enabled: ["all_access"]

#----------------------- END SECURITY CONFIGURATION ----------------------------

## OpenSearch Node Roles
node.roles: [ cluster_manager ]

## Warm Node Specific Settings
## not needed since OS defaults to 80%
## if we do need it then move to vars since the vols vary between clusters -- jtb
##
## Object storage additional client settings
s3.client.osdev-lob-hvuv-ism.endpoint: s3repo.domain.com
s3.client.osdev-lob-hvuv-ism.path_style_access: true
s3.client.osdev-lob-hvuv-ism.region: us-east-1
# S3 client endpoints are added dynamically by the configure_object_storage playbook
# via lineinfile when repositories are created. Do not add them here.
8

@muraliv Thank you for the files. Yes the command to extract the loaded security configuration looks correct. I just can’t see what certificates are included in the chained file. Usually -cacert parameter is for root certificate and -cert parameter is used for the admin certificate defined in the opensearch.yml file under plugins.security.authcz.admin_dn:

9

Hi @Anthony

Greetings. I do not see an option to upload the files or a zip file.

Thanks

Murali

10

@muraliv You should be able to paste the files in the reply

11

Hi @Anthony ,

I am getting an error message, looks like I cannot upload yml files. I will share the contents of each file here.

---
_meta:
  type: "actiongroups"
  config_version: 2
cluster-base-permissions:
  reserved: false
  hidden: false
  allowed_actions:
  - "cluster_monitor"
  - "cluster_composite_ops"
  - "cluster:admin/opendistro/alerting/*"
  - "cluster:admin/opensearch/notifications/*"
  static: false
cluster_admin_notifications_readonly:
  reserved: false
  hidden: false
  allowed_actions:
  - "cluster:admin/opensearch/notifications/channels/get"
  - "cluster:admin/opensearch/notifications/configs/get"
  - "cluster:admin/opensearch/notifications/features"
  - "cluster:admin/opensearch/notifications/feature/send"
  - "cluster:admin/opensearch/notifications/test_notification"
  static: false

---
_meta:
  type: "allowlist"
  config_version: 2
config:
  enabled: false
  requests:
    /_cluster/settings:
    - "GET"
    /_cat/nodes:
    - "GET"


---
_meta:
  type: "audit"
  config_version: 2
config:
  enabled: true
  audit:
    enable_rest: true
    disabled_rest_categories:
    - "AUTHENTICATED"
    - "GRANTED_PRIVILEGES"
    enable_transport: true
    disabled_transport_categories:
    - "AUTHENTICATED"
    - "GRANTED_PRIVILEGES"
    ignore_users:
    - "kibanaserver"
    ignore_requests: []
    resolve_bulk_requests: false
    log_request_body: true
    resolve_indices: true
    exclude_sensitive_headers: true
  compliance:
    enabled: true
    internal_config: true
    external_config: false
    read_metadata_only: true
    read_watched_fields: {}
    read_ignore_users:
    - "kibanaserver"
    write_metadata_only: true
    write_log_diffs: false
    write_watched_indices: []
    write_ignore_users:
    - "kibanaserver"


---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        description: "Authenticate via internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: "basic"
          challenge: true
        authentication_backend:
          type: "intern"
      inwin_ldap_auth:
        description: "Domain1 Active Directory authentication"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "inwinlb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@inwin.ad.mydomain.com"
            password: "youknowthis"
            userbase: "DC=inwin,DC=ad,DC=mydomain,DC=com"
            usersearch: "(sAMAccountName={0})"
            username_attribute: "sAMAccountName"
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"
      si_ldap_auth:
        description: "si Active Directory authentication"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "silb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@si.ent.domain.com"
            password: "4GGC2J42V24TSs42L72n22J3paa2F"
            userbase: "DC=si,DC=ent,DC=domain,DC=com"
            usersearch: "(sAMAccountName={0})"
            username_attribute: "sAMAccountName"
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"
      ade_ldap_auth:
        description: "ade Active Directory authentication"
        http_enabled: true
        transport_enabled: true
        order: 3
        http_authenticator:
          type: "basic"
          challenge: false
        authentication_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "adesmlb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@ade.mydomain.com"
            password: "6Fn6AV66d66x66wk6h6XbF5g6u"
            userbase: "DC=ade,DC=mydomain,DC=com"
            usersearch: "(sAMAccountName={0})"
            username_attribute: "sAMAccountName"
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"
    authz:
      inwin_ldap_authz:
        description: "inwin LDAP group authorization"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "inwinlb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@inwin.ad.mydomain.com"
            password: "youknowthis"
            userbase: "DC=inwin,DC=ad,DC=mydomain,DC=com"
            usersearch: "(sAMAccountName={0})"
            rolebase: "OU=Groups,DC=inwin,DC=ad,DC=mydomain,DC=com"
            rolesearch: "(member={0})"
            userroleattribute: null
            userrolename: null
            rolename: "cn"
            resolve_nested_roles: false
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"
      si_ldap_authz:
        description: "si LDAP group authorization"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "silb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@si.ent.domain.com"
            password: "4GGC2J42V24TSs42L72n22J3paa2F"
            userbase: "DC=si,DC=ent,DC=domain,DC=com"
            usersearch: "(sAMAccountName={0})"
            rolebase: "OU=Groups,DC=si,DC=ent,DC=domain,DC=com"
            rolesearch: "(member={0})"
            userroleattribute: null
            userrolename: null
            rolename: "cn"
            resolve_nested_roles: false
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"
      ade_ldap_authz:
        description: "ade LDAP group authorization"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          type: "ldap"
          config:
            enable_ssl: true
            enable_start_tls: false
            enable_ssl_client_auth: false
            verify_hostnames: true
            pemtrustedcas_filepath: "certs/ldap-ca-bundle.pem"
            hosts:
            - "adesmlb.mydomain.com:636"
            follow_referrals: false
            bind_dn: "svc-elm-lob-ldap@ade.mydomain.com"
            password: "6Fn6AV66d66x66wk6h6XbF5g6u"
            userbase: "DC=ade,DC=mydomain,DC=com"
            usersearch: "(sAMAccountName={0})"
            rolebase: "OU=Groups,DC=ade,DC=mydomain,DC=com"
            rolesearch: "(member={0})"
            userroleattribute: null
            userrolename: null
            rolename: "cn"
            resolve_nested_roles: false
            connect_timeout: 5000
            response_timeout: 5000
            skip_users:
            - "admin"
            - "kibanaserver"
            - "kibanaro"
            - "logstash"
            - "readall"
            - "snapshotrestore"

---
logstash:
  hash: "$2a$12$u1ShR4l4uBS3Uv59Pa2y5.1uQuZBrZtmNfqB3iM/.jL0XoV9sghS2"
  reserved: false
  hidden: false
  backend_roles:
  - "logstash"
  attributes: {}
  description: "Demo logstash user, using external role mapping"
  opendistro_security_roles: []
  static: false
snapshotrestore:
  hash: "$2y$12$DpwmetHKwgYnorbgdvORCenv4NAK8cPUg8AI6pxLCuWf/ALc0.v7W"
  reserved: false
  hidden: false
  backend_roles:
  - "snapshotrestore"
  attributes: {}
  description: "Demo snapshotrestore user, using external role mapping"
  opendistro_security_roles: []
  static: false
jeev_local:
  hash: "$2y$12$rZysJvncGj.IzENUQ6vlwenyQ9idjoYAstmLUzo1B.joEt7mN4vd."
  reserved: false
  hidden: false
  backend_roles: []
  attributes: {}
  opendistro_security_roles: []
  static: false
_meta:
  type: "internalusers"
  config_version: 2
admin:
  hash: "$2y$12$Oo0VxcpJHu7WYX4Sv/cqS.caFPe7.jE5gUht.DVOKanGW3mj3YtuW"
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  attributes: {}
  description: "Demo admin user"
  opendistro_security_roles: []
  static: false
kibanaserver:
  hash: "$2a$12$4AcgAt3xwOWadA5s5blL6ev39OXDNhmOesEoo33eZtrq2N0YrU3H."
  reserved: true
  hidden: false
  backend_roles: []
  attributes: {}
  description: "Demo OpenSearch Dashboards user"
  opendistro_security_roles: []
  static: false
kibanaro:
  hash: "$2a$12$JJSXNfTowz7Uu5ttXfeYpeYE0arACvcwlPBStB1F.MI7f0U9Z4DGC"
  reserved: false
  hidden: false
  backend_roles:
  - "kibanauser"
  - "readall"
  attributes:
    attribute1: "value1"
    attribute2: "value2"
    attribute3: "value3"
  description: "Demo OpenSearch Dashboards read only user, using external role mapping"
  opendistro_security_roles: []
  static: false
readall:
  hash: "$2a$12$ae4ycwzwvLtZxwZ82RmiEunBbIPiAmGZduBAjKN0TXdwQFtCwARz2"
  reserved: false
  hidden: false
  backend_roles:
  - "readall"
  attributes: {}
  description: "Demo readall user, using external role mapping"
  opendistro_security_roles: []
  static: false
anomalyadmin:
  hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
  reserved: false
  hidden: false
  backend_roles: []
  attributes: {}
  description: "Demo anomaly admin user, using internal role"
  opendistro_security_roles:
  - "anomaly_full_access"
  static: false


---
_meta:
  type: "nodesdn"
  config_version: 2


jeev_custom_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster_monitor"
  - "cluster_composite_ops"
  - "cluster:admin/opendistro/alerting/*"
  - "cluster_admin_notifications_readonly"
  index_permissions:
  - index_patterns:
    - "logs-apigee*"
    - ".kibana"
    - ".kibana-6"
    - ".kibana_*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "read"
    - "indices:admin/mappings/get"
    - "indices_monitor"
    - "indices:admin/aliases/get"
    - "indices:data/read/field_caps*"
  tenant_permissions:
  - tenant_patterns:
    - "jeev"
    allowed_actions:
    - "kibana_all_write"
  static: false

jeev:
  reserved: false
  hidden: false
  description: "Tenant for JEEV"
  static: false
12

@muraliv using your config I can confirm the channels are visible both from the notifications/channel tab in UI and alert/trigger section.

Can you run the following commands using the test user:

curl -sk -u 'jeev_local:<pass>' 'https://localhost:9201/_plugins/_notifications/configs?pretty'

curl -sk -u 'jeev_local:<pass>' 'https://localhost:9201/_plugins/_notifications/channels?pretty'

Are you receiving the channels back in the responses?

13

@muraliv also can you confirm if there are any errors in the opensearch/opensearch_dashboards logs when you attempt to create the trigger.

14

Is the localhost:9201 the opensearch url ?

15

@muraliv yes, please use opensearch url with correct port.

16

I get a 200 response for each request using Postman and now the user ‘jeev_local’ can see the channels in the UI. I am wondering if it’s related to caching. The user still cannot see the index pattern he is allowed to see in the drop down. But he can say *jeev, it does populate the drop down list with time fields.

17

@muraliv glad to hear the channel issue is resolved. I would recommend to restart opensearch dashboards and use private browser to ensure these is no caching issues. Regarding the other issues. Can you please raise a separate issue/s for this detailing a way to reproduce the issue and the expected behaviour. You can reference this case for the configuration you have provided.

18

Hi @Anthony

Thanks a ton for your help :slight_smile: