Permissions weird

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Last version

Describe the issue:
Defauft setup, index pattern security* keeps throwing the Exception indicesmonitor/settings/get missing. Ifcibdex pattern Is*, no problems

Why ? What am i missing?

Relevant Logs or Screenshots:

Hey @chcnet

Can you give us some more details on this issue?

Hey Gsmitt

1 - Install a default installation either from zip or docker does it as well.
2 - create a new role tier1_role
cluster permissions: cluster_all
index_patterns: sec* (I want to show just the security-* )
index permissions: indices_all
3 - create a new user testuser
4 - edit role, add user “testuser” to tier1_role
5 - open another browser or inkognito window, login as testuser
6 - Open Index Managment
7 - klick on Indices (error message pops up:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[tier1_role], requestedTenant=user])
→ reload the screen to reprovoke the error message

I hope, I could describe that absolutely in detail. No securityadmin used, just opensearch-dashboards security plugin

@chcnet Did you assign permissions to the .kibana* index for that test user?

1 Like

No. just the sec*. Should I assign perms also to .kibana*?
Now I did - but it keeps telling me on Index Management “No policies - create one?”, and if I click on Indices, it tells me the same error message as before.
As this is the default docker installation, there are no indices created so far. If I logon using the admin/admin user, I can see security-

It tells me:
There are no existing indices. Create an index to view it here.

The role is setup like this:
Cluster permissions: cluster_all

Index permissions (1)
Index: fre* .kibana*
Permissions: indices_all get
Document-level security: –
Field-level security: –
Anonymizations: –

Tenant permissions (1)
Name: *
Description N/A
Read/write permission: Read and Write
Dashboard: n/a
Visualizations: n/a

@chcnet Take a look at the kibana_user role. It contains all required permissions to create and managed the OpenSearch Dashboards objects.

The .kibana index contains all the OpenSearch Dashboard objects.

Where do you see this message? In Discovery?

In opensearch-dashboards, main menu / Index Management / indices

@chcnet The message is correct. According to my tests, your user is missing cluster:monitor/health and cluster:monitor/state permissions in the cluster permissions section.

This should be visible at the bottom of your OpenSearch Dashboards UI and in the OpenSearch logs.

I have added these permissions to the cluster section of the role, no change. If I set the index-pattern not to “*” but to “security*”, I’m getting still this error message:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]

If I want to see indices in discover, I do not get anything. dev_tools tells me:
“error” : {
“root_cause” : [
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
“status” : 403
Would I change that again to index patterin “*”, I get a reasonable output…

expected output would be just the security* indices…
Best regards

This is the configuration of the operator_role: