Unrecognized Security Exceptions

Hi all,

I’m looking in my OpenSearch Dashboards logs and I keep see permission exceptions. They look like this:

{"type":"log","@timestamp":"2022-02-23T17:37:23Z","tags":["error","opensearch","data"],"pid":29794,"message":"[security_exception]: no permissions for [indices:data/read/get] and User [name=<redacted>, backend_roles=[<redacted>], requestedTenant=null]"}

As you can see from the above, it’s complaining that the user doesn’t have the permission indices:data/read/get. I’ve talked to the users and it seems to happen when they view some of the dashboards. However, I’m only seeing these errors in the logs, and the users themselves aren’t reporting problems when viewing the dashboards.

These users are in their own tenant. Here is their security role:

"ir_user" : {
    "reserved" : false,
    "hidden" : false,
    "cluster_permissions" : [
      "cluster_monitor"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "sirt-*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "indices:data/read/get"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "IR"
        ],
        "allowed_actions" : [
          "kibana_all_write"
        ]
      }
    ],
    "static" : false

As can be seen the role has an index permission for sirt-*. The dashboards they are using typically involve the index pattern sirt-nw-meta-* so I would think this should be ok, but I still get the errors. Is there a misconfiguration I have here?

One thing that is interesting to me is in the log entry seen above with the security exception, we see requestedTenant=null, although I would expect this to have the tenant name, which is “IR”.

Any help would be appreciated. Thanks!

@jecanne I would recommend to try to additionally map users to kibana_user role and check if this makes this go away.

The logic behind this, is kibana_user role was created to be mapped to any user using kibana/OpenSearch Dashboards. This gives various permissions needed to navigate kibana without granting read access to any particular index (aside from system indices - you can view the list in security tab using admin account). This provides users with access to Global tenant, but again - no read privileges, so no data is visible unless permission is specifically granted.

If users are not mapped to kibana_user this error will persist, however should have no impact on users experience.

Hey @Anthony , thanks so much for this advice, it looks like it did the trick. I guess I had assumed the permissions issue was against the indices the dashboard was built with, but I didn’t think it would have been the index where the object itself was stored (on a sidenote, it would be nice to include that in the logs for troubleshooting).

Thanks again for your prompt reply and assistance.