Tenant access restriction

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v 2.18.0
opensearch-operator 2.7.0

Describe the issue:
I am trying to restrict user access to different tenants and index patterns.
I copied the roles configuration from a different OpenSearch installation (version 2.6.0) where everything works as expected.

My issue is that when I log in as a user from the opensearch_infra group, I can still see indices and other tenants. I want to disable this behavior.

Configuration:
In the roles.yml I have

opensearch_infra:
  cluster_permissions:
    - cluster_composite_ops
    - indices_monitor
  index_permissions:
    - allowed_actions:
        - data_access
      index_patterns:
        - 'infra-*'
  reserved: true
  tenant_permissions:
    - allowed_actions:
        - kibana_all_write
      tenant_patterns:
        - infra

In the opensearch.yaml I have:

  dashboards:
    additionalConfig:
      opensearch_security.multitenancy.enabled: "true"
      opensearch_security.multitenancy.tenants.enable_global: "false"
      opensearch_security.multitenancy.tenants.enable_private: "false"

In the roles_mapping.yml I have:

opensearch_infra:
            backend_roles:
              - opensearch_infra
              - kibanauser
            reserved: true

All that configs passed as a template: data: to the opensearch-securityconfig-secret

I can see the role opensearch_infra in the OpenSearch Dashboard, and the permissions look good to me (screenshot attached).

Do I need to perform any additional configuration?

Relevant Logs or Screenshots:

Hi @Nikolai,

Do you mind sharing the output of the below, before we dive deeper:

curl -XGET "http://localhost:9200/_plugins/_security/api/roles/opensearch_infra"

Best,
mj

Thank you for your reply. However, I found an issue.

In my case, there were two errors in the configuration:

  1. I forgot to add the option
opensearch.requestHeadersAllowlist: "[ authorization,securitytenant ]"

Without this, tenants were not separated.

  1. I had incorrect LDAP parameters, with my previous parameter I was included in too many roles. Updated parameters and it start works almost as expected:
resolve_nested_roles: true
rolebase: cn=groups,cn=accounts,dc=example,dc=team
rolename: cn
rolesearch: '(&(objectClass=groupOfNames)(member={0}))'

Only one small issue remains: In the “View roles and identities” section, under “Backend roles,” I see all user groups from LDAP.

Is there a way to limit them maybe only for some pattern, like opensearch-* ?

The resolve_nested_roles parameter was also crucial because my LDAP groups include nested groups.