In OpenSearch Dashboards we want to setup a separate tenant for a group of users, let’s call it Custom (tenant).
These users:
- Should not have access to the Global tenant.
- Should have write access to the Custom tenant so that they can create their own dashboards.
- Should be able to create their own index patterns - if possible.
I have created the tenant, and started on a role definition for these users.
What I’m having a hard time figuring out is which cluster and index privileges these users must have.
So far we have this one:
Custom:
reserved: false
hidden: false
cluster_permissions:
- cluster_composite_ops_ro
- kibana_all_read # is this required??
- kibana_all_write # is this required??
index_permissions:
- index_patterns:
- logstash-app-*
dls: |-
{
"bool": {
"must": [
{
"query_string": {
"query": "logsource.keyword: 'custom'"
}
}
],
"filter": [],
"should": [],
"must_not": []
}
}
fls: []
masked_fields: []
allowed_actions:
- read
- index_patterns:
- .kibana*custom*
- .opensearch_dashboards*custom*
dls: ""
fls: []
masked_fields: []
allowed_actions:
- indices_all
Has anybody successfully managed this, or can point to a document outlining how to achieve this.
The goal is to have at least a couple of these special purpose tenants in addition to regular users which will have access to Global++.