Copying built-in kibana_server role

Hello,

I’m trying to a make a new user with similar privilege as the built-in kibanaserver (user)/kibana_server (role) so I can use that instead in opensearch_dashboards.yml, however, despite basically copying the privileges of that role (obtained via REST API), OpenSearch is still saying that the new role has missing privileges. Is it so that creating roles with access to the internal indices is not allowed, or am I missing something?

roles.yml:

dashboardserver:
  reserved: true
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"
  index_permissions:
  - index_patterns:
    - ".kibana"
    - ".opensearch_dashboards"
    - ".kibana-6"
    - ".opensearch_dashboards-6"
    - ".kibana_*"
    - ".opensearch_dashboards_*"
    - ".tasks"
    - ".management-beats*"
    - "*"
    allowed_actions:
      - "indices_all"

roles_mapping.yml

dashboardserver:
  reserved: true
  backend_roles:
  - "dashboardserver"
  users:
  - "dashboardserver"

Error in opensearch.log

[2021-08-02T01:41:56,601][INFO ][audit ] [my.internal.url] {"audit_cluster_name":"my-cluster","audit_node_name":"my.internal.url","audit_trace_task_id":"yQO73t8nR6eCkXMXteibbA:4452","audit_transport_request_type":"GetIndexRequest","audit_category":"MISSING_PRIVILEGES","audit_request_origin":"REST","audit_node_id":"yQO73t8nR6eCkXMXteibbA","audit_request_layer":"TRANSPORT","@timestamp":"2021-08-02T08:41:56.601+00:00","audit_format_version":4,"audit_request_remote_address":"1.2.3.4","audit_request_privilege":"indices:admin/get","audit_node_host_address":"1.2.3.4","audit_request_effective_user":"dashboardserver","audit_trace_indices":[".kibana"],"audit_trace_resolved_indices":[".kibana_1"],"audit_node_host_name":"1.2.3.4"}

No errors in applying securityadmin.sh.
Would appreciate your help.

@silver_searcher
Just to make sure I understand correctly, in kibana.yml under elasticsearch.username instead of kibanaserver user you want to put a new user with the same permissions?

In that case you will need to create that user in internal_users.yml file, then set up the role, but need to add read permissions for tenant, see your example below:

dashboardserver:
  reserved: true
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_composite_ops"
    - "indices:admin/template*"
    - "indices:data/read/scroll*"
  index_permissions:
    - index_patterns:
      - ".kibana"
      - ".opensearch_dashboards"
      - ".kibana-6"
      - ".opensearch_dashboards-6"
      - ".kibana_*"
      - ".opensearch_dashboards_*"
      - ".tasks"
      - ".management-beats*"
      - "*"
      allowed_actions:
        - "indices_all"
  tenant_permissions:
    - tenant_patterns:
      - "*"
      allowed_actions:
        - "kibana_all_read"

Your role_mappings.yml is sufficient, however backend_roles section is not needed as you are mapping the user directly.

Then update kibana.yml with username and created password.

This should work for you, if not, please confirm which version of odfe/opensearch you are using or what you are trying to achieve if I misunderstood.

@Anthony
Yes, that’s my intent. Adding the tenant permissions worked, thanks!

Can you please help me understand why though? When I query via REST API the built-in kibana_server role, this is what I get below. The tenant permissions are blank.

{
  "kibana_server": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for the Kibana server",
    "cluster_permissions": [
       (skipped...)
    ],
    "index_permissions": [
      {
         (skipped...)
      }
    ],
    "tenant_permissions": [],
    "static": true
  }
}

Why then if we’re creating our own user with supposedly the same privileges, we need to explicitly define a tenant permission ourselves? There’s some special handling for the built-in kibana_server role?

@silver_searcher I’ve seen in the past this behaviour across some of the built in roles. My only guess (as you already mentioned) is there is some special handling of those built in roles and new roles (although with same permissions attached) need a little “help” to work correctly.

I see. Thanks a lot for your help!