Where is admin_tenant configured to admin role?

OpenSearch
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.18

Describe the issue:
In the default security config folder tenants.yml has a demo ‘admin_tenant’ defined. I can see this tenant when logging in with admin role and I don’t see it when logging in with non-admin role.

How does that work? Where is the ‘admin’ role mapped to the ‘admin_tenant’ in the configuration?

Configuration:

Stock configuration from github repo security.

Relevant Logs or Screenshots:

2

@dmossakowski admin user has all_access role assigned and can access all OpenSearch Dashboards’ objects. That’s why you can see admin_tenant and all other tenants when logged as admin.

image
image1424×790 70.4 KB

3

Thank you for your answer. I was struggling to understand the interplay of roles, role mappings and backend roles mainly because the names used in configuration are not consistent, but I think it finally clicked. For others stumbling on this post here are the things that made me see this clearly finally.

The tricky part is the roles_mapping.yml file. The first thing to get is that the name of the mapping must be the name of a role being mapped. If you specify a name that doesn’t exist then it will not do anything. There is no error but the entry will simply be ignored. This isn’t clear from the examples as some roles are built-in and don’t exist in the roles.yml file so it seems that the names are made up (see ‘kibanauser’ and ‘kibana_user’). In fact, “kibana_user” is a role not a user. But “kibanaserver” is a user. What is “kibanauser” you ask? Well, this is a backend role which means this is what you would set in your IDP as a role for your users. The “kibana_user” mapping then would specify that users authenticating through IDP with role “kibanauser” would be given “kibana_user” role permissions. This mapping then would be “kibana_user” mapping to backend_roles “kibanauser”. Clear? Yeah I didn’t think so…

Ok so to review:
Users: kibanaserver, kibanaro, admin, readall
Roles: kibana_user, kibana_read_only, kibana_server, all_access, readall
Roles assigned to users in IDP: kibanauser, admin, readall

These names are all found in the configuration files. Now here’s few examples of possible mappings:

  • Map all users logging in from IDP with email @yourcompany.com and also users assigned IDP role ‘readall’ to the kibana_read_only OpenSearch role.
kibana_read_only:
  users:
  - "*@yourcompany.com"
  backend_roles:
  - "readall"
  • Map users coming from IDP with kibanauser role assigned to have kibana_user open search role permissions
kibana_user:
  backend_roles:
  - "kibanauser"
  • Assign all_access role which gives unlimited access to everything to all davids. Note that this also removes the default behavior of giving all access to users with role ‘admin’ coming from IDP (this is being commented out in this mapping).
all_access:
  users:
  - "david*"
  #backend_roles:
  #- "admin"
  • The following mapping will be completely ignored as there is no ‘admin’ role. You will see ‘admin’ role in the UI on OpenSearch Dashboard but you will not see the admin menu (security etc.) because simply admin role does not exist so this is meaningless until you actually create an admin role explicitly.
admin:
  backend_roles:
  - "admin"

Hopefully this is helpful.

1 Like