Workspaces, Authorization and Resource Management

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.19

Describe the issue:

Hey!

We’re looking to provide a workspace experience for a variety of groups of users, but I’m struggling to understand how the permissions setup works.

Ideally, we’d like to keep our user setup as automated as possible, so we have backend roles being passed in by OpenID, which link each user to a collaborator group in a workspace.

The Documentation seems to imply users can be granted access to the objects within a workspace by setting the collaborator level, but users are unable to access the objects or indexes due to a lack of permissions.

To resolve these permissions we also need to create a role per workspace to provide access to the indexes so that the user can access the data in each workspace.

Is there any way to automatically provide a user with access to all objects/data within a workspace so we don’t have to manually create a new role with specific index access permissions for every new workspace?

See below for config - we’re using the ansible playbook to deploy.

Appreciate any assistance!

Configuration:

server.port: 5601
server.host: "{{ hostvars[inventory_hostname]['ip'] }}"
opensearch.hosts: ["{{ os_nodes_dashboards }}"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "{{ kibanaserver_password }}"
opensearch.requestHeadersWhitelist: [ "Authorization","securitytenant","x-forwarded-for","x-proxy-user","x-proxy-roles" ]


workspace.enabled: true
uiSettings:
  overrides:
    "home:useNewHomePage": true


opensearchDashboards.dashboardAdmin.groups: ["opensearch_admin", "all_access"]
savedObjects.permission.enabled: true
opensearch_security.multitenancy.enabled: false
#opensearch_security.multitenancy.tenants.preferred: ["InternalDev"] # This sets these at the top of the tenancy list - usually alphabetically sorted
#opensearch_security.multitenancy.tenants.enable_global: false
#opensearch_security.multitenancy.tenants.enable_private: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
# Use this setting if you are running dashboards without https
opensearch_security.cookie.secure: false


# OpenID settings
{% if auth_type == 'oidc' %}
opensearch_security.auth.type: openid
opensearch_security.openid.base_redirect_url: "{{ oidc.dashboards_url }}"
opensearch_security.openid.client_id: "{{ oidc.client_id }}"
opensearch_security.openid.scope: "{{ oidc.scopes }}"
opensearch_security.openid.client_secret: "{{ oidc.client_secret }}"
opensearch_security.openid.connect_url: "{{ oidc.connect_url }}"
opensearch_security.openid.verify_hostnames: true
{% elif auth_type == 'proxy' %}
# Proxy settings
opensearch_security.auth.type: "proxy"
opensearch_security.proxycache.user_header: "x-proxy-user"
opensearch_security.proxycache.roles_header: "x-proxy-roles"
{% endif %}

Relevant Logs or Screenshots:

Hi @xl-lewis,

If I understand your issue correctly, then yes, the users will need permission to read the docs in the indices (that the dashboards query).

You can group indices using wildcard “*”, if your indices follow a naming convention…

i.e.:

workspace_1_role:
  index_permissions:
    - index_patterns:
        - "workspace-1-*"  
      allowed_actions:
        - "read"
        - .
        - .

Or you can automate permission using the Security plugin REST API:

Best,
mj

Hey MJ,

Thanks for the response!

That sounds like a clever way to handle it - I may have to workshop it a little though, as we’re trying to keep setup and maintenance to a minimum.

Maybe a script that creates the set of read/write/admin collaborator roles for each workspace, and then another script that maps indexes to both the workspace as an index pattern and to each role.

Ideally we’d love to delegate a user for each workspace that has the ability to administer their own workspaces users and give them access to indexes contained therein, WITHOUT having to give that user access to cluster security.

Cheers,

Lewis

@xl-lewis, sounds good, let me know if you figure it out or if you get stuck and need fresh perspective, bets luck. mj