Opensearch Security - Read only Role

Hello,

I am trying to setup Opensearch to study feasibility of implementing read only access to couple of dashboards. I followed the steps as given here but I get “Application Not found” error.

Even some of the forum topics discuss that but the file they refer in github does not exist.

Here is the snippet of what i tried.

  1. logged with admin/admin
  2. created a sample dashboard with Ecommerce Revenue dashboard
  3. created read only role “osreader” with below parameters/mapping
    cluster-permissions : all read permissions(indices:read, get, search* etc*) including cluster_composite_ops_ro
    index permissions : opensearch* (which is the default index for the ecommerce dashboard and available in index patterns page)
  4. No Tenant selected
    5 .mapped role to “osviewer” user for which i have selected osreader as backend role. and added osviewer user to other read only roles(kibana_user, kibana_read_only, readall)
  5. I login with “osviewer” user
  6. login successful, gets only dashboard in the menu
  7. when I click dashboard, I get “Application Not Found” error.
  8. when I view the roles and Identities for the user from the UI, it lists below
    Roles(5)
    osreader
    own_index
    kibana_user
    kibana_read_only
    readall

Backend roles(1)
osreader

Still i get Application Not found error, what is the process to get this corrected? what all other permissions/roles am I missing here?

Is it possible for readonly user to view a dashboard created by admin? Even if it displays, is there a option to NOT to have “Edit” button for the dashboard?

Using the latest Opensearch version

Thanks
Guhan

Moving this to the security category.

@guhan
Do you have multitenancy enabled?
If so, in order to achieve what you are looking for, you would need to make sure that:

  1. dashboards are saved by admin in global tenant
  2. osreader role includes tenant read permission for global tenant.
  3. unmap the kibana_user from osviewer. osreader role is now enough.

The edit button will still appear (this is a limitation), but the user will not be able to save any changes.

N.B. If you see “Application Not Found” error, please post the url bar here.

@Anthony ,
My responses below

  1. Have not enabled multi tenancy after installation. I can see the current tenant selected is global in Security → Tenants. When i clicke View Dashboard in global tenant I can see the sample dashboard
    I can see another tenant admin_tenant listed but not sure if it is created by default
  2. Is there a tenant read permission that I have to enable>
  3. ok sure

I get below in the URL when hitting dashboard using osviewer login
banner message = To visualize and explore data, you must create index pattern to retrieve data
osviewer is listed as private user when I click “roles and Identities”, should be be global user? if yes, how?

UPDATE:
Interestingly, when I share the dashboard as snapshot / permalink , they can login with osviewer credential and view the dashboard and playaround.

They were not able to save the changes if they do EDIT, which is fine.
but when they log out and log back in with osviewer and click dashboard → they get Application not found error again.

@guhan if you see multiple tenants it would indicate you have multitenancy enabled, can you share your config.yml and kibana.yml, can you also confirm which odfe/opensearch version you are using.

Hi Antony,

Will check and let you know. Is there a command that I can run to check the version? I pulled it from our org repository.

@guhan you can “cat plugin-descriptor.properties” in /usr/share/elasticsearch/plugins/opendistro_security, assuming you are running opendistro.