Roles and permissions - view dashboards

idan17 · May 20, 2024, 6:23am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
As an opensearch admin im trying to build a role for other users so they can manage their own indexes, by which meaning to create index template out of the index, creating dashboards etc, and only view their own objects.

Configuration:
Tried to add the cluster permissions of :

cluster_composite_ops_ro
cluster:monitor/health
cluster:monitor/state

index permissions
index: example_index
permissions:
indices:data/read/search
indices:data/read/get
indices:admin/get
indices:admin/mappings/fields/get

but when user with role enters dashboards management → index patterns or discover/dashboards gets nothing

Relevant Logs or Screenshots:

Mantas · May 20, 2024, 9:10am

Hi @idan17,

Could you please share the authorization error from your OpenSearch nodes logs? This should provide clues about permissions that are missing.

thanks.
mj

idan17 · May 21, 2024, 6:35am

When accessing the dashboards screen, i see a blank page, and in the console in the dev tools,
i get 403 error :
"no permission for [indices:data/read/search] for user …
the thing is i gave this user indices_all permission, and even if i add indices:data/read/search i get this security exception

Gary · May 21, 2024, 6:42am

You need the permissions on the Index and on the Cluster.

Mantas · May 21, 2024, 8:45am

Could you please run the below and share the output (please make sure to blank any sensitive information):

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/roles?pretty

Thanks,
mj

idan17 · May 21, 2024, 10:29am

ok i did that.
the output i got is all the roles, the specific role im talking about is here:

"my-role" : {
  "reserved": false,
  "hidden": false,
  "cluster_permissions": [
     "cluster:monitor/main"
],
  "index_permissions" : [
     {
      "index_patterns" : [
          "*"
         ],
       "dls" : "",
       "fls" : [ ],
       "masked_fields" : [ ],
       "allowed_actions": [
            "indices_all",
            "indices:data/read/search"
       ]
}
]
   "tenant_permissions" : [],
   "static" : false
}

merlinz01 · May 28, 2024, 3:04pm

Check out the kibana_user role.

Mantas · May 29, 2024, 9:42am

Hi @idan17,

You are still missing some of the cluster permissions, please see below a sample that should work for creating and viewing templates:

{
  "my_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster:monitor/main",
      "cluster_manage_index_templates",
      "cluster:admin/opendistro/ism/policy/search",
      "cluster:monitor/state"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all",
          "indices:data/read/search"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

Best,
mj

idan17 · June 4, 2024, 9:01am

Thanks all, i was finally able to solve the problem,
the problem was i needed to give permission for kibana indexes

Topic		Replies	Views
On applying DLS in role configuraiton, not able to see index pattern and dashboard details Security troubleshoot	8	62	July 12, 2024
Permission Issue Setting Up Dashboards Security	2	1120	December 23, 2021
ISM and security permissions Security configure	8	127	August 15, 2024
Permissions weird Security	10	807	October 9, 2023
Permission errors on indices:data/read/search[can_match] Security	2	546	October 20, 2022

Roles and permissions - view dashboards

Related topics