Kibana_all_read + savedObject export permission?

The goal is to have two tenant spaces, A: read only, B: READ and Write, and use the workaround to have dashboards exported from A, then import to B, as the idea here

Tried roles settings

"tenant_permissions": [
        { 
          "tenant_patterns": [ "A" ],
          "allowed_actions": [ "kibana_all_read" ] 
        },
        { 
          "tenant_patterns": [ "B" ],
          "allowed_actions": [ "kibana_all_read", "kibana_all_write" ] 
        }

In tenants space A, I can see dashboards on the UI, but cannot access to the UI Stack Management → Saved objects to do the Export. Also the toast msg pop up and saying “Read Only Since this tenant is read only, you will not be able to save any changes you make.” How to configure permission to achieve this?

Thanks!

@android.kc
Which version of odfe are you using?
I have just recreated the scenario using below configs, I am able to log in as testuser1, access tenant1 (fails to make changes) and extract the visualisation, then access tenant2, import it and save changes. Hope this helps:

roles.yml:

testRole1:
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'unlimited'
  tenant_permissions:
    - tenant_patterns:
      - tenant1
      allowed_actions:
        - kibana_all_read
    - tenant_patterns:
      - tenant2
      allowed_actions:
        - kibana_all_write

tenants.yml

---
_meta:
  type: "tenants"
  config_version: 2

tenant1:
  reserved: false
  description: "read only"

tenant2:
  reserved: false
  description: "read and write"

My testuser1 is mapped to 2 roles as follows:
Screenshot 2021-05-17 at 15.14.36

Thanks @Anthony for your help!

I use odfe 1.9.0, tried your configuration but could not get it worked still

//POST /_opendistro/_security/api/roles

[
  {
    "op": "add", "path": "/testRole",
    "value": {
      "index_permissions": [
        { "index_patterns": [ "*" ], "allowed_actions": [ "unlimited" ] }
      ],
      "tenant_permissions": [                
        { "tenant_patterns": [ "tenant1-read-only" ],
          "allowed_actions": [ "kibana_all_read"] 
        },
        { "tenant_patterns": [ "tenant2-read-write" ],
          "allowed_actions": [ "kibana_all_write" ] 
        }
      ]
    }
  }
]

//POST /_opendistro/_security/api/rolesmapping

[
  {
    "op": "add",
    "path": "/testRole",
    "value": {
      "backend_roles": [
        "testRole"
      ]
    }
  },
  {
    "op": "add",
    "path": "/kibana_user",
    "value": {
      "backend_roles": [
        "testRole"
      ]
    }
  }
]

//POST /_opendistro/_security/api/tenants

[
  {
    "op": "add",
    "path": "/tenant1-read-only",
    "value": {
      "description": "readonly"
    }
  },
  {
    "op": "add",
    "path": "/tenant2-read-write",
    "value": {
      "description": "read and write"
    }
  }
]

When clicking “Stack Management” the browser first went to “http://localhost:8080/app/kibana#/management?_g=()” then got redirected to “http://localhost:8080/app/kibana#/dashboards?_g=()

I use proxy authentication but it shouldn’t matter as it’s authenticated. any suggestions?

Thanks,
KC

@android.kc Just tested with your version and can config the same issue you are having, certainly looks like a bug.

However I checked and can see that it was fixed in next version 1.10.1. Is upgrade a possibility for you?

Hi @Anthony , we might not upgrade to 1.10.1… Do you know which pull request on Github related to the fix, I am thinking if possible to do a patch manually or other options too?

Thanks,
KC