Using predefined roles

Versions: 2.8.0

I’m trying to map the predefined role “reports_instances_read_access” but this role is not available at Opensearch Plugins > Security > Roles.
What do I have to configure to see all predefined roles and map them to users?

Hi @DominikM

I have just checked this role for OpenSearch 2.8.0. I can see the role “reports_instances_read_access” in OpenSearch Dashboards:

You can find it using the following path:
Menu button > Security > Roles

To map a user to the role, you can click on the role > Mapped users > Manage mapping > add users in the users field > click on the button Map.

Thank you for your response @Eugene7

Unfortunately the role doesn’t exist in my system and I don’t know why.

Do you have any further ideas about the cause of this?

Hi @DominikM

Could you run the following command in the DevTools?

GET _plugins/_security/api/roles/reports_instances_read_access

The role definitly doesn’t exist :confused:

  "status": "NOT_FOUND",
  "message": "Resource 'reports_instances_read_access' not found."

The role can be deleted in the roles.yml file.

You can create this role again using OpenSearch Dashboards or add a new role to the roles.yml file.

If you decide to add the role to roles.yml, please read the following documentation in order to do a backup and apply changes:

You can find permissions for this role at the link below:

The content of my roles.yml is

  type: "roles"
  config_version: 2

So if I understand correctly I override all default roles including reserved ones?

I also created a custom role to recreate the “reports_instances_read_access” with the permissions from your srceenshot above and mapped it to an internal user to test the role. Unfortunately the internal user was still not able to create a report. As admin user I’m able to create reports on demand :confused:

Hi @DominikM !

According to the description in this file, the reports_instances_read_access role allows users to read and download Reports.

Try to add the permission 'cluster:admin/opendistro/reports/definition/create'

Doesn’t work at all :frowning:

I added all available reports permission and mapped the role to my non admin account.
I can also confirm that the rolemapping was successful.
But if I want to create a report from a saved search I still get the error.

(Sorry for posting all screenshots in one image, but my Opensearch account is quite new and I’m only able to add one image per post)

So I’m facing two issues:

  • Can’t create a role that allows users to create reports
  • Predefined roles don’t exist in the system (I think I overwrite them with the roles.yml from the post above, which only includes the type and config_version field, but I’m not 100&% sure about that)

Could you send the OpenSearch log for this error?

In the logs I found that my user was missing the permission “indices:monitor/settings/get”.
I added this to my custom role at index level permission and tested it successful :slight_smile:

Thank you a lot for your support.