Read Only Accounts

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.0

Describe the issue:
We are trying to lock down groups of users so they only have access to read their log-data.

The data comes in with the format logstash-<group>_<date> eg. logstash-weaterforecast_2023-05-23.

For each new application we run an ansible-job that does the following:

  • Creates a role over the API
    “{{ opensearch_api_address }}/_plugins/_security/api/roles/order-{{ role.name }}”
    With the following data (converted to json):
cluster_permissions:
  - cluster_composite_ops_ro
index_permissions:
  - index_patterns:
    - "logstash-{{ role.name }}_*"
    allowed_actions:
    - read
  • Creates a role-mapping
    “{{ opensearch_api_address }}/_plugins/_security/api/rolesmapping/order-{{ role.rolename }}”
    With the following data:
description: "Mapping for role: {{ role.name }}"
backend_roles: "{{ role.groups }}"

When the user now logs on to Dashboards they can’t view the logs in the index, I’m assuming I’m missing some roles that needs to be there, I’v been trying adding and removing roles.

What roles and permissions are needed for a read-only user?

Configuration:

Relevant Logs or Screenshots:

Hi @sebastian-thorn
If a user uses OpenSearch Dashboard, the user also needs to be mapped with the kibana_user role.

Could you execute the following commands in the DevTools when the user is logged in?

GET _cat/indices

@Eugene7
This is what i get back:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:monitor/settings/get] and User [name=sebtho01, backend_roles=[R-IT-Plattform], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:monitor/settings/get] and User [name=sebtho01, backend_roles=[R-IT-Plattform], requestedTenant=null]"
  },
  "status": 403
}

We have somewhat switched track on this, and are trying out the document-level-security, but I’m facing other issues there with using ${user.securityRoles}.

Trying with something like this:

{
  "terms" : {
      "order" : ${user.securityRoles}
  }
}

But there seems to be some more fiddeling to do.

Hi @sebastian-thorn

Could you execute the following commands in the DevTools and share the output?

GET _plugins/_security/api/roles/
GET _plugins/_security/api/rolesmapping
GET _plugins/_security/api/internalusers/

What authentication domains do you use for your users?

We solved this with the following.

PUT "{{ opensearch_api_address }}/_plugins/_security/api/roles/team-{{ role.teamname }}"

      cluster_permissions:
        - cluster_composite_ops_ro
        - cluster_monitor
      index_permissions:
        - index_patterns:
          - "logstash-team-*"
          dls: " {\"bool\":{\"filter\":{\"term\":{\"team\":\"{{ role.teamname }}\"}}}}"
          allowed_actions:
          - read
        - index_patterns:
          - .kibana
          - .kibana-6
          - .kibana_*
          allowed_actions:
          - read

and

PUT "{{ opensearch_api_address }}/_plugins/_security/api/rolesmapping/team-{{ role.ordername }}"


      description: "Mapping for team: {{ role.teamname }}"
      backend_roles: "{{ role.groups }}"