Permissions weird

chcnet · September 18, 2023, 4:47pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Last version

Describe the issue:
Defauft setup, index pattern security* keeps throwing the Exception indicesmonitor/settings/get missing. Ifcibdex pattern Is*, no problems

Why ? What am i missing?
Br
Christoph

Relevant Logs or Screenshots:

Gsmitt · September 19, 2023, 4:05am

Hey @chcnet

Can you give us some more details on this issue?

chcnet · September 19, 2023, 7:19am

Hey Gsmitt

1 - Install a default installation either from zip or docker does it as well.
2 - create a new role tier1_role
cluster permissions: cluster_all
index_patterns: sec* (I want to show just the security-* )
index permissions: indices_all
3 - create a new user testuser
4 - edit role, add user “testuser” to tier1_role
5 - open another browser or inkognito window, login as testuser
6 - Open Index Managment
7 - klick on Indices (error message pops up:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[tier1_role], requestedTenant=user])
→ reload the screen to reprovoke the error message

I hope, I could describe that absolutely in detail. No securityadmin used, just opensearch-dashboards security plugin

pablo · September 19, 2023, 8:17am

@chcnet Did you assign permissions to the .kibana* index for that test user?

chcnet · September 19, 2023, 8:29am

No. just the sec*. Should I assign perms also to .kibana*?
Now I did - but it keeps telling me on Index Management “No policies - create one?”, and if I click on Indices, it tells me the same error message as before.
As this is the default docker installation, there are no indices created so far. If I logon using the admin/admin user, I can see security-

It tells me:
There are no existing indices. Create an index to view it here.

The role is setup like this:
Cluster permissions: cluster_all

Index permissions (1)
Index: fre* .kibana*
Permissions: indices_all get
Document-level security: –
Field-level security: –
Anonymizations: –

Tenant permissions (1)
Name: *
Description N/A
Read/write permission: Read and Write
Dashboard: n/a
Visualizations: n/a

pablo · September 19, 2023, 9:08am

@chcnet Take a look at the kibana_user role. It contains all required permissions to create and managed the OpenSearch Dashboards objects.

The .kibana index contains all the OpenSearch Dashboard objects.

Where do you see this message? In Discovery?

chcnet · September 19, 2023, 9:21am

In opensearch-dashboards, main menu / Index Management / indices

pablo · September 19, 2023, 11:07am

@chcnet The message is correct. According to my tests, your user is missing cluster:monitor/health and cluster:monitor/state permissions in the cluster permissions section.

This should be visible at the bottom of your OpenSearch Dashboards UI and in the OpenSearch logs.

chcnet · September 20, 2023, 7:45am

I have added these permissions to the cluster section of the role, no change. If I set the index-pattern not to “*” but to “security*”, I’m getting still this error message:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]

If I want to see indices in discover, I do not get anything. dev_tools tells me:
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
}
],
“type” : “security_exception”,
“reason” : “no permissions for [indices:data/read/search] and User [name=tonitester, backend_roles=[operator_role], requestedTenant=null]”
},
“status” : 403
}
Would I change that again to index patterin “*”, I get a reasonable output…

expected output would be just the security* indices…
Best regards
Christoph

This is the configuration of the operator_role:

pablo · October 9, 2023, 8:34am

@chcnet Your user needs access to .kibana indices.
Could you try assigning kibanauser backend_role in the user’s properties?

chcnet · October 9, 2023, 9:13am

Hi
Thank you very much for all your support.

Here I would like to post the final solution, so that others might save their time struggling with the documentation:

HOW TO CREATE ROLES FOR LDAP BACKEND USERS
1 - configure your LDAP Backend
2 - create a group in LDAP, lets say opensearch-readers
3 - DUPLICATE the role kibana_user
4 - Open your copied role and manage mapping
5 - Add your LDAP Role to the Backend Roles of your duplicated role
6 - edit the permissions of your role AND set a tenant to read_only or read_write as your requirements are.

Fazit – without that tenant permissions, you won’t get any discover or dashboards etc… tenant must not be “null”.

Then you can easily set different indices to your role, to distinguish between different user groups…

I was missing this tenant setting, therefore I had those problems.

Happy hacking and kind regards
Christoph

Topic		Replies	Views
Internet user, permissions, roles and role mappings Security configure	3	463	March 3, 2022
Unrecognized Security Exceptions Security configure	2	533	February 24, 2022
Permission Issue Setting Up Dashboards Security	2	828	December 23, 2021
No permissions on indices:data/read/search template when the permission is attached in the role Security	10	7352	September 19, 2023
Restrict access exclusively to 1 index Security discuss , configure	4	778	September 20, 2022

Permissions weird

Related Topics