Error fetching fields for index pattern metricbeat-*

I’m using ODFE via debian packages.

  • opendistro-security/2021.1,now amd64 [installed,automatic]
  • opendistroforelasticsearch-kibana/2021.1,now 1.7.0 amd64 [installed,automatic]
  • elasticsearch-oss/2021.1,now 7.6.1 amd64 [installed,automatic]
  • opendistroforelasticsearch-kibana/2021.1,now 1.7.0 amd64 [installed,automatic]

I have a readonly user that I want to be able to see the metricbeat visualiazations.
The metricbeat system dashboard installed by metricbeat does the display all the visualizations to my readonly user.

Probably Kibana is trying to write (according to the elasticsearch log message – see below, but not according to the displayed error message in the Kibana dashboard which claims there are fetch/read problems).

Randomly at the end of putting up the visualizations on the dashboard, there will be a spurious error message. That error message and error in the elasticsearch log file don’t occur when I’m logged in as the admin user.

At the time of the problem, I get a message in the elasticsearch log stating that

`2020-10-23T12:06:29,000][WARN ][c.a.o.s.c.PrivilegesInterceptorImpl] [] Tenant global_tenant is not allowed to write (user: xxxx)

At the same time in the Kibana GUI, I get this:

and if I click on “See the full error”, I get this:

I have tried various ways to make the problem go away by editing the security role associated with this user in my roles.yml ( I tried both “*” and “global_tenant” for the tenant_patterns)

  reserved: true
  hidden: false
    - cluster_composite_ops_ro
    - cluster_monitor
    - index_patterns:
      - "*"
      -  read
      -  search
      - cluster_monitor
      - indices_monitor
    - tenant_patterns:
      - "*"
        - kibana_all_read

I have attempted to simplify tenancy issues, by disabling mult-tenancy.
Here is the relevant snippet from my kibana.yml:

opendistro_security.multitenancy.enabled: false
opendistro_security.readonly_mode.roles: ["kibana_read_only", "read_only_index"]

It may be that I need to wait for ODFE to merge in the fix from