Roles Troubleshooting - OpenSearch Dashboard "Security" unavailable

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch Operator: 2.7.0
OpenSearch Cluster: 2.7.0
OpenSearch: 2.18.0
OpenSearch Dashboard: 2.18.0

Describe the issue:
The documentation here talks about visiting Security->Roles->.. for managing roles & users from the OpenSearch Dashboard. However, I do not have any pages named, security…

I am trying to verify why my backend role (MyBackendRole_A) has not assigned me the role “manage_snapshots” even though I have assigned it. See config below.

MyBackendRole_B assigns “all_access” to me.

Configuration:

roles_mapping.yml

_meta:
  type: "rolesmapping"
  config_version: 2

# Maps admin to all_access
all_access:
  reserved: false
  backend_roles:
  - "admin"
  - "MyBackendRole_B"
  description: "Maps admin, and Developers to All Access"

# Allow full access to an index named like the username
own_index:
  reserved: false
  users:
  - "*"
  description: "Allows users to have an index in their own name"

# Maps kibanauser to kibana_user
kibana_user:
  reserved: false
  backend_roles:
  - "kibanauser"

readall:
  reserved: false
  backend_roles:
  - "readall"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"
  - "MyBackendRole_A"

# Maps kibana_server to kibanaserver
kibana_server:
  reserved: true
  users:
  - "kibanaserver"

# Maps logstash to logstash
logstash_minimum_index_permissions:
  reserved: true
  users:
  - "logstash"

logstash:
  reserved: true
  users:
  - "logstash"

helm cluster additional config (opensearch.yml equivalent)

cluster.name: "opensearch-cluster"
  network.host: "0.0.0.0"
  plugins.security.ssl_cert_reload_enabled: "true"         
  plugins.security.allow_unsafe_democertificates: "false"
  plugins.security.allow_default_init_securityindex: "true"
  plugins.security.audit.type: "internal_opensearch"
  plugins.security.enable_snapshot_restore_privilege: "true"
  plugins.security.check_snapshot_restore_write_privileges: "true"
  plugins.security.restapi.roles_enabled: |
    ['all_access', 'security_rest_api_access']
  plugins.security.system_indices.enabled: "true"
  plugins.security.system_indices.indices: |
    [
      ".opendistro-alerting-config",
      ".opendistro-alerting-alert*",
      ".opendistro-anomaly-results*",
      ".opendistro-anomaly-detector*",
      ".opendistro-anomaly-checkpoints",
      ".opendistro-anomaly-detection-state",
      ".opendistro-reports-*",
      ".opendistro-notifications-*",
      ".opendistro-notebooks",
      ".opendistro-asynchronous-search-response*",
    ]
  plugins.security.ssl.transport.enabled: "true"
  plugins.security.ssl.transport.pemcert_filepath: "tls-transport/tls.crt"
  plugins.security.ssl.transport.pemkey_filepath: "tls-transport/tls.key"
  plugins.security.ssl.transport.pemtrustedcas_filepath: "tls-transport/ca.crt"
  plugins.security.ssl.transport.enforce_hostname_verification: "false"
  plugins.security.ssl.transport.truststore_filepath: "/usr/share/opensearch/config/truststore/cacerts.jks"
  plugins.security.ssl.http.enabled: "true"
  plugins.security.ssl.http.pemcert_filepath: "tls-http/tls.crt"
  plugins.security.ssl.http.pemkey_filepath: "tls-http/tls.key"
  plugins.security.ssl.http.pemtrustedcas_filepath: "tls-http/ca.crt"
  plugins.security.ssl.http.truststore_filepath: "/usr/share/opensearch/config/truststore/cacerts.jks"
  s3.client.default.endpoint: s3.endpoint
  s3.client.default.path_style_access: "true"
  s3.client.default.protocol: https
  s3.client.default.region: RegionOne

Relevant Logs or Screenshots:


No Security Page ^

Hi @Ziggiyzoo,

Could you share the output of the following:

curl --insecure -u <username>:<password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/rolesmapping?pretty

or Dev Tools

GET /_plugins/_security/authinfo
GET /_plugins/_security/api/rolesmapping

Best,
mj

Hi @Mantas,

Sure thing!

GET _plugins/_security/authinfo

{
  "user": "User [Ziggiyzoo, backend_roles=[MyBackendRole_A, MyBackendRole_B], requestedTenant=]",
  "user_name": "Ziggiyzoo",
  "user_requested_tenant": "",
  "remote_address": "",
  "backend_roles": [
    "MyBackendRole_A",
    "MyBackendRole_B"
  ],
  "custom_attribute_names": [
    "attr.ldap.logonCount",
    "attr.ldap.lastLogon",
    "attr.ldap.badPwdCount",
    "attr.ldap.userAccountControl",
    "attr.ldap.msExchArchiveGUID",
    "attr.ldap.whenCreated",
    "attr.ldap.mS-DS-ConsistencyGuid",
    "ldap.original.username",
    "attr.ldap.msExchDumpsterQuota",
    "attr.ldap.physicalDeliveryOfficeName",
    "attr.ldap.lastLogoff",
    "attr.ldap.employeeType",
    "attr.ldap.sAMAccountName",
    "attr.ldap.-Group",
    "attr.ldap.msExchTextMessagingState",
    "attr.ldap.userPrincipalName",
    "attr.ldap.msDS-FailedInteractiveLogonCount",
    "attr.ldap.whenChanged",
    "attr.ldap.msDS-LastFailedInteractiveLogonTime",
    "attr.ldap.-PID",
    "attr.ldap.carLicense",
    "attr.ldap.extensionAttribute9",
    "attr.ldap.extensionAttribute7",
    "attr.ldap.extensionAttribute8",
    "attr.ldap.-Band",
    "attr.ldap.gidNumber",
    "attr.ldap.description",
    "attr.ldap.-DisabledStatus",
    "attr.ldap.gecos",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.division",
    "attr.ldap.extensionAttribute1",
    "attr.ldap.loginShell",
    "attr.ldap.extensionAttribute5",
    "attr.ldap.msExchUMDtmfMap",
    "attr.ldap.mail",
    "attr.ldap.msExchTransportRecipientSettingsFlags",
    "attr.ldap.extensionAttribute4",
    "attr.ldap.lastLogonTimestamp",
    "attr.ldap.primaryGroupID",
    "attr.ldap.unixHomeDirectory",
    "attr.ldap.msExchArchiveQuota",
    "attr.ldap.ipPhone",
    "attr.ldap.msExchMailboxGuid",
    "attr.ldap.proxyAddresses",
    "attr.ldap.objectGUID",
    "attr.ldap.company",
    "attr.ldap.extensionAttribute12",
    "attr.ldap.countryCode",
    "attr.ldap.extensionAttribute14",
    "attr.ldap.department",
    "attr.ldap.msExchRemoteRecipientType",
    "attr.ldap.instanceType",
    "attr.ldap.telephoneNumber",
    "attr.ldap.employeeID",
    "attr.ldap.msExchVersion",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "attr.ldap.msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon",
    "attr.ldap.msExchSafeSendersHash",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.personalTitle",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.msExchMobileMailboxFlags",
    "attr.ldap.initials",
    "attr.ldap.-BusinessUnit",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.-Site",
    "attr.ldap.uSNChanged",
    "attr.ldap.msExchRecipientTypeDetails",
    "attr.ldap.uidNumber",
    "attr.ldap.displayNamePrintable",
    "attr.ldap.pwdLastSet",
    "attr.ldap.msExchUserAccountControl",
    "attr.ldap.msExchArchiveStatus",
    "attr.ldap.msExchRecipientDisplayType",
    "attr.ldap.sn",
    "attr.ldap.msExchWhenMailboxCreated",
    "attr.ldap.msExchArchiveWarnQuota",
    "attr.ldap.msExchELCMailboxFlags",
    "attr.ldap.mailNickname",
    "attr.ldap.msExchDumpsterWarningQuota",
    "attr.ldap.msDS-LastSuccessfulInteractiveLogonTime",
    "attr.ldap.msExchHideFromAddressLists",
    "attr.ldap.-Status"
  ],
  "roles": [
    "own_index",
    "all_access"
  ],
  "tenants": {
    "global_tenant": true,
    "admin_tenant": true,
    "Ziggiyzoo": true
  },
  "principal": null,
  "peer_certificates": "0",
  "sso_logout_url": null
}

GET /_plugins/_security/api/rolesmapping

{
  "status": "FORBIDDEN",
  "message": "No permission to access REST API: User Ziggiyzoo with Security roles [own_index, all_access] does not have any role privileged for admin access. No client TLS certificate found in request"
}

I think in order to get the rolesmapping I need to set up the API TLS certificate? I was confused by this so had skipped it as a to do later :smiley:

what happens if you run:

GET /_plugins/_security/api/roles/all_access
and
curl --insecure -u <admin_username>:<admin_password> -XGET https://<OS_node>:9200/_plugins/_security/api/securityconfig?pretty

Best,
mj

The API Request also returns FORBIDDEN.

Perhaps I need to look into that first before continuing further. I feel like potentially some config is not being applied, as I thought I had set all_access to be allowed use of the security API…

Sorry for the wait @Mantas , not been well the past few days!

I’ve managed to get access to the security API working.

GET /_plugins/_security/api/roles/all_access returns:

{
  "all_access": {
    "reserved": true,
    "hidden": false,
    "description": "Allow full access to all indices and all cluster APIs",
    "cluster_permissions": [
      "*"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "*"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "*"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": true
  }
}

GET _plugins/_security/api/rolesmapping?pretty returns:

{
  "logstash_minimum_index_permissions": {
    "hosts": [],
    "users": [
      "logstash"
    ],
    "reserved": true,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": []
  },
  "manage_snapshots": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "admin",
      "BackendRoles"
    ],
    "and_backend_roles": []
  },
  "logstash": {
    "hosts": [],
    "users": [
      "logstash"
    ],
    "reserved": true,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": []
  },
  "own_index": {
    "hosts": [],
    "users": [
      "*"
    ],
    "reserved": false,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": [],
    "description": "Allows users to have an index in their own name"
  },
  "kibana_user": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "kibanauser"
    ],
    "and_backend_roles": []
  },
  "security_rest_api_access": {
    "hosts": [],
    "users": [],
    "reserved": true,
    "hidden": false,
    "backend_roles": [
      "admin",
     "BackendRoles"
    ],
    "and_backend_roles": []
  },
  "all_access": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "admin",
      "BackendRoles"
    ],
    "and_backend_roles": [],
    "description": "Maps admin to all_access"
  },
  "readall": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "readall",
      "BackendRoleA"
    ],
    "and_backend_roles": []
  },
  "kibana_server": {
    "hosts": [],
    "users": [
      "kibanaserver"
    ],
    "reserved": true,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": []
  }
}

I hope you all well now!

Are there any other outstanding issues?

Best,
mj

Yeah, a few!

With the snapshots, the permissions to be able to restore them seems to come and go from my user. I had them, and then I didn’t… but I had not made any changes!

And on a separate topic which I think I might need a new thread for, the OpenSearch Operator/Cluster Bootstrap pod does not install plugins for me…