Roles and permissions - view dashboards

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Describe the issue:
As an opensearch admin im trying to build a role for other users so they can manage their own indexes, by which meaning to create index template out of the index, creating dashboards etc, and only view their own objects.

Configuration:
Tried to add the cluster permissions of :

  • cluster_composite_ops_ro
  • cluster:monitor/health
  • cluster:monitor/state

index permissions
index: example_index
permissions:
indices:data/read/search
indices:data/read/get
indices:admin/get
indices:admin/mappings/fields/get

but when user with role enters dashboards management → index patterns or discover/dashboards gets nothing

Relevant Logs or Screenshots:

2

Hi @idan17,

Could you please share the authorization error from your OpenSearch nodes logs? This should provide clues about permissions that are missing.

thanks.
mj

3

When accessing the dashboards screen, i see a blank page, and in the console in the dev tools,
i get 403 error :
"no permission for [indices:data/read/search] for user …
the thing is i gave this user indices_all permission, and even if i add indices:data/read/search i get this security exception

4

You need the permissions on the Index and on the Cluster.

5

Could you please run the below and share the output (please make sure to blank any sensitive information):

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/roles?pretty

Thanks,
mj

6

ok i did that.
the output i got is all the roles, the specific role im talking about is here:

"my-role" : {
  "reserved": false,
  "hidden": false,
  "cluster_permissions": [
     "cluster:monitor/main"
],
  "index_permissions" : [
     {
      "index_patterns" : [
          "*"
         ],
       "dls" : "",
       "fls" : [ ],
       "masked_fields" : [ ],
       "allowed_actions": [
            "indices_all",
            "indices:data/read/search"
       ]
}
]
   "tenant_permissions" : [],
   "static" : false
}
7

Check out the kibana_user role.

8

Hi @idan17,

You are still missing some of the cluster permissions, please see below a sample that should work for creating and viewing templates:

{
  "my_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster:monitor/main",
      "cluster_manage_index_templates",
      "cluster:admin/opendistro/ism/policy/search",
      "cluster:monitor/state"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "indices_all",
          "indices:data/read/search"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

Best,
mj

9

Thanks all, i was finally able to solve the problem,
the problem was i needed to give permission for kibana indexes

1 Like