Role applied when login with openId doesn't give permission to specified index

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch/Dashboards 2.7.0
Deploy on K8s version 1.24.2

Describe the issue:
I have created a role that gets mapped to a backend_role through keycloak, the roles should give read and write privileges to specific index.
However, the role is not working right when I put specific index patterns the user gets a blank page in the discovery pages. It doesn’t show any other error not even in the logs.
If I give the user access to all the index but using the while *, everything works the discovery page works fine.

Configuration:
This configurations does not work:

{
  "test-role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_composite_ops",
      "indices_monitor",
      "cluster_manage_index_templates"
    ],
    "index_permissions": [{
      "index_patterns": [
        "logs*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "indices_monitor",
        "create_index",
        "index",
         "manage",
         "write",
         "search"
      ]
    }],
    "tenant_permissions": [{
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_read"
      ]
    }],
    "static": false
  }
}

Working configuration

{
  "test-role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_composite_ops",
      "indices_monitor",
      "cluster_manage_index_templates"
    ],
    "index_permissions": [{
      "index_patterns": [
        "*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "indices_monitor",
        "create_index",
        "index",
         "manage",
         "write",
         "search"
      ]
    }],
    "tenant_permissions": [{
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_read"
      ]
    }],
    "static": false
  }
}
2

@tcronin The blank screen in the Discovery is caused by the lack of permissions to .kibana indices.

All OpenSearch Dashboards’ objects (i.e. searches, visualisations, dashboards, OSD config etc. ) are kept in the .kibana index. If you enabled tenancy then you’ll notice that the .kibana index is created per user.

The * pattern includes all .(dot) indices including .kibana

Please have a look at the kibana_user role.

image
image1167×108 7 KB

3

Thank you very much. This solved my problem.