I am trying to create a role that only has access to the monitors that are created by him.
I know that this is possible if we use:
PUT _cluster/settings
{
“transient”: {
“opendistro.alerting.filter_by_backend_roles”: “true”
}
}
However, if the users share Backend_roles we can´t prevent this from happening.
In order to work around this issue i tried to configure a role with a filter in “.opendistro-alerting-config” to prevent the user that inherits this role to have visibility from other roles that where use to create other Monitors.
The API request used was this:
PUT _opendistro/_security/api/roles/role-test-admin
{
“cluster_permissions”: [
“cluster_monitor”,
“cluster:admin/opendistro/alerting/"
],
“index_permissions”: [
{
“index_patterns”: [
"some_index”
],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“read”
]
},
{
“index_patterns”: [
“.opendistro-alerting-config”,
“some_index*”
],
“dls” : “”“{“bool”: { “must”: , “filter”: [ { “match_phrase”: { “monitor.user.roles”: “role-test-admin” } } ] }”“”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices_monitor”,
“indices:admin/aliases/get”,
“indices:admin/mappings/get”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“some_tenent*”
],
“allowed_actions”: [
“kibana_all_write”
]
}
]
}
The problem here is that the “dls” is not working as it would for a regular indice.
Can someone help me regarding this issue.