Restrict access exclusively to 1 index

johnenderson · September 18, 2022, 9:02pm

Hi, I’m new to using OpenSearch and I’m trying to give permissions inside a function, just for 1 index.
To make this possible I am creating the following objects:
1 - Tenant
2 - Role
3 - User
4 - And finally performing the Role Mapping

Would the request below to create the Role be correct?

{
  "cluster_permissions": [ "cluster_monitor"],
  "index_permissions": [{
    "index_patterns": [
      "opensearch_dashboards_sample_data_flights"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "indices_monitor", "create_index", "crud", "data_access", "indices:data/read/search", "indices:admin/create"
    ]
  }],
  "tenant_permissions": [{
    "tenant_patterns": [
      "{{tenant}}"
    ],
    "allowed_actions": [
      "kibana_all_write"
    ]
  }]
}

pablo · September 19, 2022, 10:10am

@johnenderson It looks correct and it worked in my lab.

johnenderson · September 20, 2022, 11:24am

Nice!
Is there any recommendation on what types of permissions to use? In this case, which ones do I need to include so that it is possible to do everything within the chosen index and still create the Dashboards?
I’m using OpenSearch managed by AWS, and I have a feeling I might run into some restrictions using this managed service.

angelogabeira · September 20, 2022, 2:47pm

@johnenderson
I managed to allow access to 1 single index including the desired index and the index “.kibana” in the permission, because without it the menu did not appear.
The other indices, if any, continue to appear but the user receives the forbidden message

pablo · September 20, 2022, 4:23pm

@johnenderson Documentation doesn’t have a detailed description of all permissions.
However, you can start with default action groups and predefined roles.

If your role will miss any required privilege, OpenSearch will report that in the logs.

jinoinfo · July 5, 2024, 9:25am

I am also facing same issue… i have give indices epcis_index & .kibana. Still getting security exception indices:monitor/settings/get. I have given following index permissions.read
indices:monitor/settings/get
indices:monitor/stats

pablo · August 9, 2024, 10:53am

@jinoinfo Have you tried giving this permission at the cluster level?

jinoinfo · August 9, 2024, 1:00pm

If you are asking specific to the issue i mentioned above, it was due to some strange browser cache issue. After clearing the cache it worked fine for me

Topic		Replies	Views
Roles and users Security configure	2	464	April 27, 2022
Can't give access to specific indices to a user Security	1	972	December 10, 2021
Limit access for a role to a specific tenant/index/view Security configure	10	1586	February 29, 2024
Roles and permissions - view dashboards Security	8	441	June 4, 2024
Read only role on multitenant Opensearch Dashboards OpenSearch Dashboards	4	21	October 31, 2024

Restrict access exclusively to 1 index

Related topics