Role configuration needed for giving read only access to dashboard

In my application, admin has created certain dashboards on one index.

Now I want to create two roles for users for visibility of those dashboards.

1. role with read only access to those dashboards where DQL can be applied from prompt on displayed dashboards
2. role with read only access to those dashboards where DQL cannot be present to apply and dashboard will be fully read only.

I need to create these two roles only using roles.yml and roles_mapping.yml and cannot create from UI of openSearch Dashboard as due to some infra constraints Security option on UI is not available.

How to do that?

There’s a dashboards setting for readonly users. i.e. users that cannot make changes to saved objects (index patters, visualizations, dashboards)

opensearch_security.readonly_mode.roles: ["<role_for_read_only>"]

Documentation page: https://opensearch.org/docs/latest/security/configuration/multi-auth/#sample-setup

Not sure about DQL on a prompt on a displayed dashboard though.

is there any way to handle it through roles.yml and roles_mapping.yml? I tried with kibana_read_only role, but it still makes edit dashboard option enabled.

image1822×161 5.92 KB

In above image, basically I do not want to have edit button and DQL option enabled.

Facing same issue. Is there a way to remove Edit option in dashboards for read_only users?

@Apoorva The described read_only user is a placeholder role for opensearch_security.readonly_mode.roles: option located in opensearch_dashboards.yml file. Any user with the role placed in that option will get limited view of the OpenSearch Dashboards.

If you’d like to disable Edit button, then you must set tenant access to Read only in the role settings.

image851×221 14.8 KB

Please be aware that setting Read only access to the tenant will prevent any create, update or delete actions to any OpenSearch Dashboards objects (i.e. visualisations, search, dashboards etc. )

Even after setting global tenant to Read only for view opensearch dashboard only user, I can see Edit option enabled in the dashboard. Is it possible to disable or hide edit and create option for user with the role placed in opensearch_security.readonly_mode.roles: option ??

Screenshot 2025-04-16 at 1.57.51 PM2608×390 24.5 KB

@Apoorva Could you share the output of the following command?

curl --insecure -u <username>:<password> https://<OpenSearch_node_IP_or_FQDN>:9200/_plugins/_security/authinfo?pretty

Is the dashboard from the screenshot located in the Global Tenant?
Do you use more than one tenant?

Here is the ouput of the command provided

{
  "user" : "User [name=testviewer, backend_roles=[viewer], requestedTenant=null]",
  "user_name" : "testviewer",
  "user_requested_tenant" : null,
  "remote_address" : "[::1]:46870",
  "backend_roles" : [
    "viewer"
  ],
  "custom_attribute_names" : [
    "attr.internal.name"
  ],
  "roles" : [
    "own_index",
    "opensearch_dashboards_read_only",
    "read_only_index"
  ],
  "tenants" : {
    "testviewer" : true,
    "global_tenant" : false,
    "admin_tenant" : false
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

My opensearch doesn’t have multitenancy configured.

I’ve noticed that there is a security permission issue returned when user executes action create / edit dashboard.
I’m referring to this bug reported where it is mentioned that hiding options is not supported in opensearch, can you please let me know if this issue fix is added in latest version or is there any alternate solution that I can use in opensearch version 2.15??

Note: I have assigned a read-only role to a user which is placed in opensearch_security.readonly_mode.roles: option, which allows them to view dashboards module as expected.

OpenSearch version 2.15
Multitenancy is not Configured.

@pablo can you please help me with this?

@Apoorva

I don’t this statement is correct as per your authinfo output

In that case Read only permission should be applied to testviewwer tenant.