Mapping new user to kibana_server

Hi,

I’m trying to map new user to built-in kibana_server role (instead of using kibanaserver user). But the permissions don’t seem to be mapping. Is this not allowed? Can you please help check if I’m missing something?

internal_users.yml

dashboardserver:
  reserved: true
  hash: "xxx"
  description: "Login for Opensearch-Dashboards"

roles_mapping.yml

kibana_server:
  reserved: true
  users:
  - "dashboardserver"

Error in opensearch.log

[2021-08-04T03:42:39,669][INFO ][audit ] [my.internal.url] {“audit_cluster_name”:“my-internal-url”,“audit_node_name”:“my.internal.url”,“audit_trace_task_id”:“yQO73t8nR6eCkXMXteibbA:267357”,“audit_transport_request_type”:“GetIndexRequest”,“audit_category”:“MISSING_PRIVILEGES”,“audit_request_origin”:“REST”,“audit_node_id”:“yQO73t8nR6eCkXMXteibbA”,“audit_request_layer”:“TRANSPORT”,"@timestamp":“2021-08-04T10:42:39.668+00:00”,“audit_format_version”:4,“audit_request_remote_address”:“1.2.3.4”,“audit_request_privilege”:“indices:admin/get”,“audit_node_host_address”:“1.2.3.4”,“audit_request_effective_user”:“dashboardserver”,“audit_trace_indices”:[".kibana"],“audit_trace_resolved_indices”:[".kibana_1"],“audit_node_host_name”:“1.2.3.4”}

Appreciate your help.

Hello,

Can you please double-check if dashboardserver is indeed mapped to the kibana_server role?

GET _opendistro/_security/api/rolesmapping/kibana_server

@spapadop
Here’s the output. I think it looks ok?

{"kibana_server":{"hosts":[],"users":["dashboardserver"],"reserved":true,"hidden":false,"backend_roles":[],"and_backend_roles":[]}}

I’m using OpenSearch and Dashboards 1.0.0, btw. with the corresponding plugins in security.

@spapadop just kindly following up, would you have some idea on what might be wrong or missing?

Apologies I can’t think of anything else. Maybe you still need to give permissions to all tenants for user dashboardserver.
@pablo or @Anthony may have some better ideas.

@silver_searcher
There seem seems to be some hardcoded permissions bases on the username.

As a workaround, try mapping the dashboardserver user to additional role with tenant permissions in roles.yml:

additional_role:
  tenant_permissions:
    - tenant_patterns:
      - "*"
      allowed_actions:
        - "kibana_all_read"

Roles_mapping.yml:

additional_role:
  users:
    - "dashboardserver"