Permissions weird

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Last version

Describe the issue:
Defauft setup, index pattern security* keeps throwing the Exception indicesmonitor/settings/get missing. Ifcibdex pattern Is*, no problems

Why ? What am i missing?

Relevant Logs or Screenshots:

Hey @chcnet

Can you give us some more details on this issue?

Hey Gsmitt

1 - Install a default installation either from zip or docker does it as well.
2 - create a new role tier1_role
cluster permissions: cluster_all
index_patterns: sec* (I want to show just the security-* )
index permissions: indices_all
3 - create a new user testuser
4 - edit role, add user “testuser” to tier1_role
5 - open another browser or inkognito window, login as testuser
6 - Open Index Managment
7 - klick on Indices (error message pops up:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[tier1_role], requestedTenant=user])
→ reload the screen to reprovoke the error message

I hope, I could describe that absolutely in detail. No securityadmin used, just opensearch-dashboards security plugin

@chcnet Did you assign permissions to the .kibana* index for that test user?

1 Like

No. just the sec*. Should I assign perms also to .kibana*?
Now I did - but it keeps telling me on Index Management “No policies - create one?”, and if I click on Indices, it tells me the same error message as before.
As this is the default docker installation, there are no indices created so far. If I logon using the admin/admin user, I can see security-

It tells me:
There are no existing indices. Create an index to view it here.

The role is setup like this:
Cluster permissions: cluster_all

Index permissions (1)
Index: fre* .kibana*
Permissions: indices_all get
Document-level security: –
Field-level security: –
Anonymizations: –

Tenant permissions (1)
Name: *
Description N/A
Read/write permission: Read and Write
Dashboard: n/a
Visualizations: n/a

@chcnet Take a look at the kibana_user role. It contains all required permissions to create and managed the OpenSearch Dashboards objects.

The .kibana index contains all the OpenSearch Dashboard objects.

Where do you see this message? In Discovery?

In opensearch-dashboards, main menu / Index Management / indices

@chcnet The message is correct. According to my tests, your user is missing cluster:monitor/health and cluster:monitor/state permissions in the cluster permissions section.

This should be visible at the bottom of your OpenSearch Dashboards UI and in the OpenSearch logs.

I have added these permissions to the cluster section of the role, no change. If I set the index-pattern not to “*” but to “security*”, I’m getting still this error message:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]

If I want to see indices in discover, I do not get anything. dev_tools tells me:
“error” : {
“root_cause” : [
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
“status” : 403
Would I change that again to index patterin “*”, I get a reasonable output…

expected output would be just the security* indices…
Best regards

This is the configuration of the operator_role:

@chcnet Your user needs access to .kibana indices.
Could you try assigning kibanauser backend_role in the user’s properties?


Thank you very much for all your support.

Here I would like to post the final solution, so that others might save their time struggling with the documentation:

1 - configure your LDAP Backend
2 - create a group in LDAP, lets say opensearch-readers
3 - DUPLICATE the role kibana_user
4 - Open your copied role and manage mapping
5 - Add your LDAP Role to the Backend Roles of your duplicated role
6 - edit the permissions of your role AND set a tenant to read_only or read_write as your requirements are.

Fazit – without that tenant permissions, you won’t get any discover or dashboards etc… tenant must not be “null”.

Then you can easily set different indices to your role, to distinguish between different user groups…

I was missing this tenant setting, therefore I had those problems.

Happy hacking and kind regards