Read only user not being able to update UI settings (api/opensearch-dashboards/settings)

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.18

Describe the issue:
A read only user is getting an error when opening dashboards about not being able to save settings. In developer console this seems to point to:

Request URL: https://host:7180/api/opensearch-dashboards/settings
Request Method: POST
Status Code: 403 Forbidden

Configuration:

{
“readall_sai”: {
“reserved”: false,
“hidden”: false,
“cluster_permissions”: [
"
],
“index_permissions”: [
{
“index_patterns”: [
"

],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“index”,
“search”,
“read”,
“indices_all”,
“indices_monitor”,
“get”,
“data_access”,
“indices:admin/mapping/put”,
“indices:admin/settings/update”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“*”
],
“allowed_actions”:
}
],
“static”: false
}
}

Relevant Logs or Screenshots:

What permissions need to be given? I also added this user to the opensearch_dashboards.yml readonly users settings. Perhaps it’s not needed there? Technically this setting should not then require any write access.

opensearch_security.readonly_mode.roles: [“readall_sai”,“readall”,“readall_and_monitor”,“tom_role”]

Hi @dmossakowski,

Are there any errors/warnings in your logs referring to insufficient permissions?
Could you add a cluster_composite_ops_ro to your Cluster permissions and test it again?

Best,
mj

It still is the same with cluster_composite_ops_ro permissions:

{
  "readall_sai": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "*",
      "cluster_composite_ops_ro"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "index",
          "search",
          "read",
          "indices_all",
          "indices_monitor",
          "get",
          "data_access",
          "indices:admin/mapping/put"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "*"
        ],
        "allowed_actions": []
      }
    ],
    "static": false
  }
}

This user is part of other roles too. Can that have an impact? The roles are:

readall_and_monitor
own_index
readall_sai

Could you share the output of the following:

GET _plugins/_security/authinfo

best,
mj

Unfortunately this user doesn’t see dev tools. What permission is needed for the user to see ‘Dev tools’ ? The menu only has:

I can execute a query as admin for this user if it helps or I can enable Dev tools for the user if you tell me which permission is it.

Thanks!
David

Ok I removed the role from read_only setting (and commented out the entire property) :
#opensearch_security.readonly_mode.roles: ["readall_sai","readall","readall_and_monitor","tom_role"]

and now I see Dev Tools…

GET _plugins/_security/authinfo

{
  "user": "User [name=xxxxxxxxxxxxxx, backend_roles=[], requestedTenant=]",
  "user_name": "xxxxxxxxxxxxxxxxxxx",
  "user_requested_tenant": "",
  "remote_address": "xxxxxxxxx",
  "backend_roles": [],
  "custom_attribute_names": [
    "attr.jwt.iss",
    "attr.jwt.preferred_username",
    "attr.jwt.oid",
    "attr.jwt.rh",
    "attr.jwt.uti",
    "attr.jwt.aud",
    "attr.jwt.groups",
    "attr.jwt.nbf",
    "attr.jwt.tid",
    "attr.jwt.idp",
    "attr.jwt.sub",
    "attr.jwt.name",
    "attr.jwt.ver",
    "attr.jwt.exp",
    "attr.jwt.wids",
    "attr.jwt.iat",
    "attr.jwt.email"
  ],
  "roles": [
    "readall_and_monitor",
    "own_index",
    "readall_sai"
  ],
  "tenants": {
    "global_tenant": false,
    "admin_tenant": false,
    "xxxxxxxxxxxxxxxxxxx": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

The role is as follows:

readall_sai:
  cluster_permissions:
    - 'cluster_composite_ops_ro'
  index_permissions:
  - index_patterns:
    - '*'
    allowed_actions:
    - 'index'
    - 'search'
    - 'read'
    - 'indices_all'
    - 'indices_monitor'
    - 'get'
    - 'data_access'
    - 'indices:admin/mapping/put'
  tenant_permissions:
  - tenant_patterns:
    - '*'
    allowed_actions:
    - 'kibana_all_read'

In Developer Console I see 403 for ‘template’:

also:

In this mode I don’t see the user error ‘Unable to update UI setting’

After additional tests, the main menu difference does seem to be related to the opensearch_security.readonly_mode.roles setting. When I put it back, the menu is reduced to only ‘Dashboards’ and the error pops:

Without this setting, the user sees the Discover, Dev Tools and other menus and even seems to be able to edit dashboard but the save action is dissalowed. This is functionally ok but it isn’t very user friendly.

It seems like we need something inbetween: ability to Discover and use Dev Tools but with any edit functionality disabled. Not sure if this is possible.

I’ll check the logs for any errors or warnings related to insufficient permissions.

1 Like