{{tag>elasticsearch kibana opensearch}}

====== Creating Opensearch Dashboards users ======

This user will only see the dashboards and visualizations and will not have any other access. Make sure that you have set
  opensearch_security.readonly_mode.roles: ["kibana_read_only"]
in ///usr/share/opensearch-dashboards/config/opensearch_dashboards.yml//

You can do it 3 ways.

===== UI =====

You can use UI and create new users then assign roles to this user in //Management>Security>Internal// users. If you are using Docker and the volume is deleted obviously this will not persist.

===== Config files =====

Another way is to add the users directly in config file ///usr/share/opensearch/config/opensearch-security/internal_users.yml//:

<code>
readall:
  hash: "xxxxxxxxxxxxxxxxxxxxxxxxxee"
  reserved: false
  opendistro_security_roles:
    - "mbb_ro_role"
    - "kibana_read_only"
  description: "readall user, using custom role"
</code>

Create the role(s) (opensearch already provides the kibana_read_only by default) in //roles.yml//:

<code>
mbb_ro_role:
  reserved: false
  cluster_permissions:
    - "cluster_composite_ops_ro"
  index_permissions:
    - index_patterns:
        - ".kibana*"
        - "logstash-nginx-access-logs-*"
      allowed_actions:
        - "read"
        - "indices:admin/resolve/index" 
        - "cluster:admin/opensearch/ql/datasources/read" 
        - "indices:data/read/search"
  tenant_permissions:
    - tenant_patterns:
      - "global_tenant"
      allowed_actions:
        - "read"
        - "write"
</code>

Then we need to map the role to user in //roles_mapping.yml//:

<code>
mbb_ro_role:
  reserved: false
  users:
  - "readall"
</code>


If the Opensearch is already running and you add the above in config files you need to run the securityadmin.sh (which will be deprecated in the next major release https://github.com/opensearch-project/security/issues/1755)

  cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem

Take care when running this because any users created through web UI will be destroyed (https://opensearch.org/docs/latest/security/configuration/security-admin/#a-word-of-caution) as the command will apply changes from the config files. Make a backup first with

  cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -backup my-backup -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem

then add the user to internal_users.yml file.

===== API =====
Create the role:
<code>
PUT _plugins/_security/api/roles/mbb_ro_role
{
    "cluster_permissions": ["cluster_composite_ops_ro"],
    "index_permissions": [
        {
            "index_patterns": [".kibana*", "logstash-nginx-access-logs-*"],
            "dls": "",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": ["read",
              "indices:admin/resolve/index", 
              "cluster:admin/opensearch/ql/datasources/read", 
              "indices:data/read/search"
            ]
        }
    ],
    "tenant_permissions": [
        {
            "tenant_patterns": ["global_tenant"],
            "allowed_actions": ["read", "write"]
        }
    ]
}
</code>
Index pattern has to contain kibana indexes, the second pattern should be your index name (or datastream name(s))

Now we create a user and map roles (we also need to map predefined //kibana_read_only// role to our user)
<code>
PUT _plugins/_security/api/internalusers/tstuser
{
  "password": "kirkpass123!",
  "opendistro_security_roles": [ "mbb_ro_role", "kibana_read_only"]
}
</code>


====== Troubleshooting ======
You should tail the logs while logged in as user to see what permissions are required.

Here the request for .kibana index (originalRequested=[.kibana]), so we need to add this permission
<code>
opensearch-node2       | [2024-09-04T11:06:34,884][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node2] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/get]] [RolesChecked [mbb-ro-role, own_index]]
opensearch-dashboards  | {"type":"log","@timestamp":"2024-09-04T09:06:34Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/get] and User [name=mbb-ro-user, backend_roles=[], requestedTenant=]"}
</code>

Request for logstash-nginx-access-logs-live* (originalRequested=[logstash-nginx-access-logs-live*]), so we add this as well
<code>
opensearch-node1       | [2024-09-04T11:08:39,048][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[logstash-nginx-access-logs-live01-frontend-services-i18n, logstash-nginx-access-logs-live02-frontend-services-i18n], types=[*], originalRequested=[logstash-nginx-access-logs-live*], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [mbb-ro-role, own_index]]
</code>

====== Tested on ======
  * Opensearch 2.15

====== See also ======
  * [[wiki:opensearch_installation|Opensearch installation]]
  
====== References ======
  * https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml
  * https://opensearch.org/docs/2.15/security/access-control/api/#get-role-mapping