Miky
December 29, 2023, 3:20am
1
Hello,
I logged in with my user and when I try to add sample data I get this
Unable to install sample data set: Sample eCommerce orders
Forbidden
In the logs I see this
[2023-12-29T04:04:45,148][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node1] Tenant global_tenant is not allowed to write (user: myuser)
I have these properties
# curl -u admin:admin -X GET 'https://opensearch.mydomain.org:9200/_opendistro/_security/api/internalusers/myuser?pretty=true'
{
"myuser" : {
"hash" : "",
"reserved" : true,
"hidden" : false,
"backend_roles" : [
"superuser"
],
"attributes" : { },
"description" : "MyUser",
"opendistro_security_roles" : [ ],
"static" : false
}
}
And
# curl -u admin:admin -X GET 'https://opensearch.mydomain.org:9200/_plugins/_security/api/roles/superuser?pretty=true'
{
"superuser" : {
"reserved" : false,
"hidden" : false,
"cluster_permissions" : [
"cluster_all"
],
"index_permissions" : [
{
"index_patterns" : [
"*"
],
"fls" : [ ],
"masked_fields" : [ ],
"allowed_actions" : [
"*"
]
}
],
"tenant_permissions" : [
{
"tenant_patterns" : [
"global_tenant"
],
"allowed_actions" : [
"*"
]
}
],
"static" : false
}
}
Mantas
December 29, 2023, 12:57pm
2
Hi @Miky ,
Could you add "admin"
as a back-end role and check if you get sufficient permission:
internal_users.yml
myuser:
hash: ""
reserved: false
backend_roles:
- "admin"
- "superuser"
description: "MyUser"
note: to apply chances - Applying changes to configuration files - OpenSearch documentation
best,
mj
Miky
December 29, 2023, 1:38pm
3
Hello Mantas,
I have added the admin role but it doesn’t solve the problem.
# curl -u admin:admin -X GET 'https://opensearch.mydomain.org:9200/_opendistro/_security/api/internalusers/myuser?pretty=true'
{
"myuser" : {
"hash" : "",
"reserved" : false,
"hidden" : false,
"backend_roles" : [
"superuser",
"admin"
],
"attributes" : { },
"description" : "MyUser",
"opendistro_security_roles" : [ ],
"static" : false
}
}
In GUI I see the same
But I still get the Forbidden message
[2023-12-29T14:34:55,875][WARN ][o.o.s.c.PrivilegesInterceptorImpl] [node1] Tenant global_tenant is not allowed to write (user: myuser)
Mantas
December 29, 2023, 1:50pm
4
Could you please run the below and share the output:
curl --insecure -u myuser:<password> -XGET https://opensearch.mydomain.org:9200/_plugins/_security/authinfo?pretty
Thanks,
mj
Miky
December 29, 2023, 2:21pm
5
Hello again Mantas,
curl --insecure -u myuser:<password> -XGET https://opensearch.mydomain.org:9200/_plugins/_security/authinfo?pretty
{
"user" : "User [name=myuser, backend_roles=[admin, superuser], requestedTenant=null]",
"user_name" : "myuser",
"user_requested_tenant" : null,
"remote_address" : "127.0.0.1:34797",
"backend_roles" : [
"admin",
"superuser"
],
"custom_attribute_names" : [ ],
"roles" : [
"own_index",
"superuser"
],
"tenants" : {
"myuser" : true,
"global_tenant" : false
},
"principal" : null,
"peer_certificates" : "0",
"sso_logout_url" : null
}
Mantas
December 29, 2023, 2:27pm
6
Miky:
"global_tenant" : false
Hi @Miky ,
Could you share your opensearch_dashboards.yml
, just wanna check the set-up in general and more specifically: opensearch_security.multitenancy.tenants.enable_global: ???
?
thanks,
mj
Miky
December 29, 2023, 2:37pm
7
Thank you.
Right now my configuration is the following
# grep -v '#' /etc/opensearch-dashboards/opensearch_dashboards.yml | grep -v ^$
server.port: 5601
server.host: "0.0.0.0"
server.name: "your-hostname"
logging.dest: /var/log/opensearch-dashboards/opensearch-dashboards.log
logging.quiet: false
opensearch.hosts: [https://localhost:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: kibanaserver
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
Miky
December 30, 2023, 2:32am
8
Hello,
For some reason, when allowed actions is a star *, it doesn’t work. When it’s kibana_all_write it does work.
From /etc/opensearch/roles.yml
superuser:
reserved: false
hidden: false
cluster_permissions:
- "cluster_all"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- '*'
tenant_permissions:
- tenant_patterns:
- 'global_tenant'
allowed_actions:
# - '*'
- 'kibana_all_write'