Trying to restrict access to users so they only have dashboard access only

nwuser · October 16, 2024, 3:06pm

I’m trying to restrict access for different users, so they only have dashboard access and are not able to access anything else. I’ve created the role, using the following;

PUT _opendistro/_security/api/roles/dashboard_only_role
{
“cluster_permissions”: [
“cluster_composite_ops_ro”
],
“index_permissions”: [
{
“index_patterns”: [
“.kibana*”,
“.opensearch_dashboards*”,
“uat-"
],
“allowed_actions”: [
“read”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“global_tenant”
],
“allowed_actions”: [
“read”
]
}
],
“kibana”: [
{
“base”: [],
“feature”: {
“dashboard”: [“read”],
“visualize”: [“none”],
“discover”: [“none”],
“canvas”: [“none”],
“maps”: [“none”],
“management”: [“none”],
“advancedSettings”: [“none”]
},
“spaces”: ["”]
}
]
}

and then created the user, using;

PUT _opendistro/_security/api/internalusers/restrict_access
{
“password”: “the-password”,
“opendistro_security_roles”: [“dashboard_only_role”]
}

but when logging in, this doesn’t work and I can access the data via discover.
I’ve also read that I may need to map the role, but when I use this;

PUT _opendistro/_security/api/rolesmapping/dashboard_only_user
{
backend_roles": [“dashboard_only_role”]
}

I get this error;

message" : “Role ‘dashboard_only_user’ is not available for role-mapping.”

Hoping someone has come across this before and can lead me in the right direction to sorting this, thanks.

Mantas · October 17, 2024, 4:01pm

Hi @nwuser,
could you run the below and share the output:


curl -XGET "http://localhost:9200/_plugins/_security/api/roles/dashboard_only_user"

and


curl -XGET "http://localhost:9200/_plugins/_security/api/rolesmapping"

best,
mj

nwuser · October 22, 2024, 8:59am

Thanks for the response @Mantas.

I only have access through “Dev Tools”, so my commands are slightly different to yours, but here is the output you asked for and I’ve just obfuscated some of the names used.

GET _opendistro/_security/api/roles/dashboard_only_role

{
“dashboard_only_role” : {
“reserved” : false,
“hidden” : false,
“cluster_permissions” : [
“cluster_composite_ops_ro”
],
“index_permissions” : [
{
“index_patterns” : [
“.kibana*”,
“.opensearch_dashboards*”,
“uat-*”
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“read”
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
“global_tenant”
],
“allowed_actions” : [
“kibana_dashboard_only”
]
}
],
“static” : false
}
}

GET _opendistro/_security/api/rolesmapping

{
“internal_team_ro” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=ELK-internal-team RO,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“logstash” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“logstash”
],
“and_backend_roles” :
},
“internal_team” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=internal-team,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“internal_team” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=internal-team,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“kibana_user” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=ELK-internal-team RO,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”,
“CN=ELK-internal-team Admin,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“security_rest_api_access” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=internal-team,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”,
“CN=internal-team,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”,
“CN=ELK-internal-team Admin,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“all_access” : {
“hosts” : ,
“users” : ,
“reserved” : true,
“hidden” : false,
“backend_roles” : [
“admin”
],
“and_backend_roles” : ,
“description” : “Maps admin to all_access”
},
“internal_team_admin” : {
“hosts” : ,
“users” : ,
“reserved” : false,
“hidden” : false,
“backend_roles” : [
“CN=ELK-internal-team Admin,OU=Groups,OU=company-abbrev,DC=internal-team,DC=co,DC=uk”
],
“and_backend_roles” :
},
“kibana_server_additional” : {
“hosts” : ,
“users” : [
“kibana”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“kibana_server” : {
“hosts” : ,
“users” : [
“kibana”
],
“reserved” : true,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
}
}

Mantas · October 22, 2024, 11:58am

@nwuser, the role is named `` dashboard_only_role, ’ and it seems that you are trying to map dashboard_only_user.’` ?

best,
mj

nwuser · October 25, 2024, 10:32am

My bad @Mantas.

I’ve rectified this and added the role to the role mapping now

{
“dashboard_only_role” : {
“hosts” : ,
“users” : [
“restrict_access”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
}
}

However when i still log in, it is not restricting access and this user can still access the data via “discover”

Thanks.

Mantas · October 31, 2024, 1:13pm

@nwuser, that is correct, you control the index level permission (needed for dashboards) once the permissions are granted user will be able to access it (dashboards, discovery, dev tools, curl,…)

best,
mj

Topic		Replies	Views
Limit access to dashboards Security	3	4130	February 24, 2021
User permissions to only view, modify and delete dashboards/visualizations without access to admin settings Security	6	1445	October 4, 2021
Dashboard Only & Tenancy in 1.3 Security	6	1195	April 19, 2021
Permission Issue Setting Up Dashboards Security	2	1055	December 23, 2021
How to limit user/role access Security	3	1684	August 26, 2019

Trying to restrict access to users so they only have dashboard access only

Related topics