Read Only Accounts

sebastian-thorn · November 27, 2023, 2:16pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11.0

Describe the issue:
We are trying to lock down groups of users so they only have access to read their log-data.

The data comes in with the format logstash-<group>_<date> eg. logstash-weaterforecast_2023-05-23.

For each new application we run an ansible-job that does the following:

Creates a role over the API
“{{ opensearch_api_address }}/_plugins/_security/api/roles/order-{{ role.name }}”
With the following data (converted to json):

cluster_permissions:
  - cluster_composite_ops_ro
index_permissions:
  - index_patterns:
    - "logstash-{{ role.name }}_*"
    allowed_actions:
    - read

Creates a role-mapping
“{{ opensearch_api_address }}/_plugins/_security/api/rolesmapping/order-{{ role.rolename }}”
With the following data:

description: "Mapping for role: {{ role.name }}"
backend_roles: "{{ role.groups }}"

When the user now logs on to Dashboards they can’t view the logs in the index, I’m assuming I’m missing some roles that needs to be there, I’v been trying adding and removing roles.

What roles and permissions are needed for a read-only user?

Configuration:

Relevant Logs or Screenshots:

Eugene7 · November 27, 2023, 3:37pm

Hi @sebastian-thorn
If a user uses OpenSearch Dashboard, the user also needs to be mapped with the kibana_user role.

Eugene7 · November 27, 2023, 3:44pm

Could you execute the following commands in the DevTools when the user is logged in?

GET _cat/indices

sebastian-thorn · November 28, 2023, 7:09am

@Eugene7
This is what i get back:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:monitor/settings/get] and User [name=sebtho01, backend_roles=[R-IT-Plattform], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:monitor/settings/get] and User [name=sebtho01, backend_roles=[R-IT-Plattform], requestedTenant=null]"
  },
  "status": 403
}

We have somewhat switched track on this, and are trying out the document-level-security, but I’m facing other issues there with using ${user.securityRoles}.

Trying with something like this:

{
  "terms" : {
      "order" : ${user.securityRoles}
  }
}

But there seems to be some more fiddeling to do.

Eugene7 · December 4, 2023, 12:23pm

Hi @sebastian-thorn

Could you execute the following commands in the DevTools and share the output?

GET _plugins/_security/api/roles/
GET _plugins/_security/api/rolesmapping
GET _plugins/_security/api/internalusers/

What authentication domains do you use for your users?

sebastian-thorn · February 14, 2024, 3:21pm

We solved this with the following.

PUT "{{ opensearch_api_address }}/_plugins/_security/api/roles/team-{{ role.teamname }}"

      cluster_permissions:
        - cluster_composite_ops_ro
        - cluster_monitor
      index_permissions:
        - index_patterns:
          - "logstash-team-*"
          dls: " {\"bool\":{\"filter\":{\"term\":{\"team\":\"{{ role.teamname }}\"}}}}"
          allowed_actions:
          - read
        - index_patterns:
          - .kibana
          - .kibana-6
          - .kibana_*
          allowed_actions:
          - read

and

PUT "{{ opensearch_api_address }}/_plugins/_security/api/rolesmapping/team-{{ role.ordername }}"


      description: "Mapping for team: {{ role.teamname }}"
      backend_roles: "{{ role.groups }}"

Topic		Replies	Views
Opensearch readonly user creation OpenSearch	10	1117	October 24, 2024
Roles and users Security configure	2	463	April 27, 2022
Permission set for a readonly role OpenSearch Dashboards configure	9	1440	October 30, 2024
How does the "kibana_read_only" role work? OpenSearch Dashboards troubleshoot , configure	4	1165	July 14, 2023
Opensearch Security - Read only Role Security	19	1266	September 20, 2021

Read Only Accounts

Related topics