Using predefined roles

DominikM · July 21, 2023, 12:18pm

Versions: 2.8.0

I’m trying to map the predefined role “reports_instances_read_access” but this role is not available at Opensearch Plugins > Security > Roles.
What do I have to configure to see all predefined roles and map them to users?

Eugene7 · July 21, 2023, 4:35pm

Hi @DominikM

I have just checked this role for OpenSearch 2.8.0. I can see the role “reports_instances_read_access” in OpenSearch Dashboards:

You can find it using the following path:
Menu button > Security > Roles

Eugene7 · July 21, 2023, 5:27pm

To map a user to the role, you can click on the role > Mapped users > Manage mapping > add users in the users field > click on the button Map.

DominikM · July 25, 2023, 10:35am

Thank you for your response @Eugene7

Unfortunately the role doesn’t exist in my system and I don’t know why.

Do you have any further ideas about the cause of this?

Eugene7 · July 25, 2023, 12:18pm

Hi @DominikM

Could you run the following command in the DevTools?

GET _plugins/_security/api/roles/reports_instances_read_access

DominikM · July 25, 2023, 2:04pm

The role definitly doesn’t exist

{
  "status": "NOT_FOUND",
  "message": "Resource 'reports_instances_read_access' not found."
}

Eugene7 · July 25, 2023, 4:57pm

The role can be deleted in the roles.yml file.

You can create this role again using OpenSearch Dashboards or add a new role to the roles.yml file.

If you decide to add the role to roles.yml, please read the following documentation in order to do a backup and apply changes:

You can find permissions for this role at the link below:

github.com

opensearch-project/security/blob/2.8.0.0/config/roles.yml

_meta:
  type: "roles"
  config_version: 2

# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
kibana_read_only:
  reserved: true

# The security REST API access role is used to assign specific users access to change the security settings through the REST API.
security_rest_api_access:
  reserved: true

security_rest_api_full_access:
  reserved: true
  cluster_permissions:
    - 'restapi:admin/actiongroups'
    - 'restapi:admin/allowlist'
    - 'restapi:admin/internalusers'
    - 'restapi:admin/nodesdn'
    - 'restapi:admin/roles'

This file has been truncated. show original

DominikM · July 26, 2023, 7:36am

The content of my roles.yml is

---
_meta:
  type: "roles"
  config_version: 2

So if I understand correctly I override all default roles including reserved ones?

I also created a custom role to recreate the “reports_instances_read_access” with the permissions from your srceenshot above and mapped it to an internal user to test the role. Unfortunately the internal user was still not able to create a report. As admin user I’m able to create reports on demand

Eugene7 · July 26, 2023, 2:54pm

Hi @DominikM !

According to the description in this file, the reports_instances_read_access role allows users to read and download Reports.

Try to add the permission 'cluster:admin/opendistro/reports/definition/create'

DominikM · July 27, 2023, 6:02am

Doesn’t work at all

I added all available reports permission and mapped the role to my non admin account.
I can also confirm that the rolemapping was successful.
But if I want to create a report from a saved search I still get the error.

(Sorry for posting all screenshots in one image, but my Opensearch account is quite new and I’m only able to add one image per post)

So I’m facing two issues:

Can’t create a role that allows users to create reports
Predefined roles don’t exist in the system (I think I overwrite them with the roles.yml from the post above, which only includes the type and config_version field, but I’m not 100&% sure about that)

Eugene7 · July 28, 2023, 10:05am

Could you send the OpenSearch log for this error?

DominikM · August 2, 2023, 6:19am

In the logs I found that my user was missing the permission “indices:monitor/settings/get”.
I added this to my custom role at index level permission and tested it successful

Thank you a lot for your support.