Hi everyone,
I installed opensearch cluster as a central log server. Everything works smoothly. I can get my logs from other servers with filebeat. I index my logs to opensearch with Logstash. I can create index patterns with Opensearch dashboard and monitor my logs in the discover menu.
While installing Opensearch, I also configured ldap in the config.yml file. I created groups for my users with different labels on my ldap server. According to the parameters I gave in config.yml, I successfully log in my ldap users to the system according to my parameters.
After this stage, I need to authorise my users for different tenants. I plan to create different tenants according to my different application names. Then I plan to ensure that each user can see the logs in the tenant they are authorised.
my problem:
I created the following role and role_mapping definitions for my user in the first ldap group. My user can login successfully. But when he enters the Discover menu, he cannot see the logs. The dashboard page appears empty. But when I enter that tenant with the admin user, I can see my logs.
In the index permissions section, I tried many permission options. Then I tried “all_access” but the result is the same again.
When I add my Ldap user group to the existing “all_access” role instead of the role I created, I can see everything without any problems.
In this case I see that there is a problem with my authorisations, but I don’t understand how to solve this problem.
my purpose;
1- My users should only log in to the tenant that I have authorised them.
2- They should not have administrator level authorisations. They should only be able to see logs in their own tenant. Also, if possible, they should only be able to see the “OpenSearch Control Panels” menu.
I don’t want them to be able to see and use the other menus, but if there is no way around this, I will only allow them to see the logs in the tenant they are authorised to.
my opensearch and linux versions
[root@logserver3 ]# yum list installed |grep "opensearch"
opensearch.x86_64 2.10.0-1 @@System
opensearch-dashboards.x86_64 2.9.0-1 @System
[root@logserver3 ]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.8 (Ootpa)
my ldap users groups;
test_app_1_ldap_group
test_app_2_ldap_group
my tenants;
Test_Application_1
Test_Application_2
My definitions in roles.yml;
test_app_1_role:
reserved: true
cluster_permissions:
- 'cluster_composite_ops_ro'
index_permissions:
- index_patterns:
- 'Test_Application_1-*'
allowed_actions:
- 'all_access'
# - 'indices:data/read/scroll'
# - 'indices:data/read/scroll*'
# - 'indices:data/read/scroll/clear'
# - 'indices:data/read/mget'
# - 'indices:data/read/mget*'
# - 'indices:data/read/msearch'
# - 'indices:data/read/msearch*'
# - 'indices:data/read/msearch/template'
# - 'indices:data/read/mtv'
# - 'indices:data/read/mtv*'
tenant_permissions:
- tenant_patterns:
- "Test_Application_1"
allowed_actions:
- "kibana_all_read"
My definitions in roles.mapping.yml;
test_app_1_role:
reserved: true
backend_roles:
- "test_app_1_ldap_group"
- "kibana_all_read"
My definitions in tenants.yml;
Test_Application_1:
reserved: true