User with several roles

Hi guys,
I have user that mapped several roles:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }"
% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }"
% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq '.[].index_permissions[].dls'
"{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }"

The issue is k that user, even using the ELK_DMB tenant, is unable to see the logs from mentioned hosts. Instead, he sees the logs from the other tenant.

Could you please help to solve this issue?

@rlevitsky Could you share the config of these roles?

The tenancy doesn’t control index access but OpenSearch Dashboard objects (i.e. visualisations, dashboards). Index access is controlled by the role.

Thank you for your reply @pablo , here they are:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.'

{
  "ELK_rVision_INT_DB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkrvisionintdb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_rVision_INT_DB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq .

{
  "ELK_EPCF_PROD": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkepcfprod*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_EPCF_PROD"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq .

{
  "ELK_DMB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkdmb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_DMB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

Users are able to see cv196 logs only.

@rlevitsky Just to confirm. Are these roles assigned to a single user?

Is there a chance that you could share a single document for each cv248.co.com, cv196.co.com, cv244.co.com. If not, then maybe index mappings.