Setting index level permissions makes the kibana discover/dashboard/visualize pages blank

Security
1

I have created a role and want to setup index level permissions for this role. I followed the opendistro documentation and when I test it with the user, the kibana discover/visualize/dashboard pages are completely blank. I don’t see any option to switch tenant too (I have just the global_tenant and the admin_tenant)

If for the same role I remove the index pattern, I see all the indices in the discover page and the visualize and dashboards page also shows up normally.

Following is the role I had created. If in the same role I change the value of index patterns from “logstash-" to "”, it works as I mentioned above.

{
“index_permissions”: [
{
“index_patterns”: [
“logstash-"
],
“dls”: “”,
“fls”: [],
“masked_fields”: [],
“allowed_actions”: [
“read”,
“search”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
"
],
“allowed_actions”: [
“kibana_all_write”
]
},
{
“tenant_patterns”: [
“global_tenant”
],
“allowed_actions”: [
“kibana_all_write”
]
}
],
“cluster_permissions”:
}

Any help is greatly appreciated.

Thanks,
Aravind

2

The index level permissions work when I try to search using the dev tools panel in kibana, but the discover/visualize/dashboard pages are still showing blank

3

I used the following, but it sure feels like a violation of the Principle of Least Privilige:

JSON

{
“cluster_permissions”: [
“cluster_composite_ops”
],
“index_permissions”: [
{
“index_patterns”: [
“your-index-here”
],
“dls”: “”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“read”
]
},
{
“index_patterns”: [
“.kibana”,
“.kibana-6”,
“.kibana_*”
],
“dls”: “”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“read”,
“delete”,
“manage”,
“index”
]
}
]
}

I’d appreciate more guidance too.

Todd

4

@aravindg Did you get this resolved? If not which version of odfe are you using?

5

Any update on this? I am having the same issue. I am setting index permission and everything goes blank. it does not make sense. @Anthony .

I have Open Search configured in AWS using SAML
@Opensource.exp

6

@spalacioh
In config.yml can you make sure do_not_fail_on_forbidden is set to true

Also, can you provide the roles.yaml and output from the below command:

curl --insecure -u{username}:{password} -XGET “https://localhost:9200/_opendistro/_security/authinfo?pretty

7

I don’t know if it will solve all your problems, but you just include the .kibana index along with the others you want to limit and discevery and other menus will work.