Permissions not allowing report download or report definition creation

OpenSearch Dashboards Reporting Plugin
1

Hi

I’m attempting to create a role that, among other things, enables use of the Reporting plugin. The challenge is that I’m getting “Insufficient permissions. Reach out to your OpenSearch Dashboards administrator.” when trying to generate/download a report, or create a report definition.

I’m using AWS Opensearch v 2.19 - Dashboards 2.19.2

The custom role my user has can be seen below. This is the only role they have.

Any help will be greatly appreciated.

{
  "TestRole": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_composite_ops",
      "cluster:admin/opendistro/reports/definition/create",
      "cluster:admin/opendistro/reports/definition/update",
      "cluster:admin/opendistro/reports/definition/delete",
      "cluster:admin/opendistro/reports/definition/get",
      "cluster:admin/opendistro/reports/definition/list",
      "cluster:admin/opendistro/reports/definition/on_demand",
      "cluster:admin/opendistro/reports/instance/get",
      "cluster:admin/opendistro/reports/instance/list",
      "cluster:admin/opendistro/reports/menu/download"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "xapi.data"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "write",
          "indices:admin/create"
        ]
      },
      {
        "index_patterns": [
          ".opendistro-reports-*",
          ".opendistro-reports-definitions",
          ".opendistro-reports-instances"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices:data/write/index",
          "indices:admin/create",
          "indices:data/read/search"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*",
          ".opensearch_dashboards"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "write",
          "indices:admin/create"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "global_tenant"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}
2

@matthew1 I have tested this config in a stand alone OpenSearch and user is able to generate reports and create policies. Are you getting any messages in the Error and audit logs?

3

Hi @Anthony - we’re seeing the following in error logs.

status: 403,
  displayName: 'AuthorizationException',
  path: '/_plugins/_query/_datasources',
  query: {},
  body: '{\n' +
    '  "status": 403,\n' +
    '  "error": {\n' +
    '    "type": "OpenSearchSecurityException",\n' +
    '    "reason": "There was internal problem at backend",\n' +
    '    "details": "no permissions for [cluster:admin/opensearch/ql/datasources/read] and User [name\\u003dTestRole, backend_roles\\u003d[TestRole], requestedTenant\\u003d]"\n' +
    '  }\n' +
    '}',
  statusCode: 403,
  response: '{\n' +
    '  "status": 403,\n' +
    '  "error": {\n' +
    '    "type": "OpenSearchSecurityException",\n' +
    '    "reason": "There was internal problem at backend",\n' +
    '    "details": "no permissions for [cluster:admin/opensearch/ql/datasources/read] and User [name\\u003dTestRole, backend_roles\\u003d[TestRole], requestedTenant\\u003d]"\n' +
    '  }\n' +
    '}',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}
4

Have you tried adding this permission?

5

Yes. I got the same on-screen error message. Upon checking the logs, the error was then different: “Permission denied for ObservabilityObject creation”. Having Googled this, I’ve added 4 cluster permissions:

  • cluster/admin/opensearch/observability/get
  • cluster/admin/opensearch/observability/create
  • cluster/admin/opensearch/observability/update
  • cluster/admin/opensearch/observability/delete
    Having tested again, I get the same error message: “Permission denied for ObservabilityObject creation”.
6

We’ve dug into this a bit further and are currently thinking our issue may be related to this bug: GitHub · Where software is built