This user will only see the dashboards and visualizations and will not have any other access. Make sure that you have set
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
in /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
You can do it 3 ways.
You can use UI and create new users then assign roles to this user in Management>Security>Internal users. If you are using Docker and the volume is deleted obviously this will not persist.
Another way is to add the users directly in config file /usr/share/opensearch/config/opensearch-security/internal_users.yml:
readall:
hash: "xxxxxxxxxxxxxxxxxxxxxxxxxee"
reserved: false
opendistro_security_roles:
- "mbb_ro_role"
- "kibana_read_only"
description: "readall user, using custom role"
Create the role(s) (opensearch already provides the kibana_read_only by default) in roles.yml:
mbb_ro_role:
reserved: false
cluster_permissions:
- "cluster_composite_ops_ro"
index_permissions:
- index_patterns:
- ".kibana*"
- "logstash-nginx-access-logs-*"
allowed_actions:
- "read"
- "indices:admin/resolve/index"
- "cluster:admin/opensearch/ql/datasources/read"
- "indices:data/read/search"
tenant_permissions:
- tenant_patterns:
- "global_tenant"
allowed_actions:
- "read"
- "write"
Then we need to map the role to user in roles_mapping.yml:
mbb_ro_role: reserved: false users: - "readall"
If the Opensearch is already running and you add the above in config files you need to run the securityadmin.sh (which will be deprecated in the next major release https://github.com/opensearch-project/security/issues/1755)
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
Take care when running this because any users created through web UI will be destroyed (https://opensearch.org/docs/latest/security/configuration/security-admin/#a-word-of-caution) as the command will apply changes from the config files. Make a backup first with
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -backup my-backup -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
then add the user to internal_users.yml file.
Create the role:
PUT _plugins/_security/api/roles/mbb_ro_role
{
"cluster_permissions": ["cluster_composite_ops_ro"],
"index_permissions": [
{
"index_patterns": [".kibana*", "logstash-nginx-access-logs-*"],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": ["read",
"indices:admin/resolve/index",
"cluster:admin/opensearch/ql/datasources/read",
"indices:data/read/search"
]
}
],
"tenant_permissions": [
{
"tenant_patterns": ["global_tenant"],
"allowed_actions": ["read", "write"]
}
]
}
Index pattern has to contain kibana indexes, the second pattern should be your index name (or datastream name(s))
Now we create a user and map roles (we also need to map predefined kibana_read_only role to our user)
PUT _plugins/_security/api/internalusers/tstuser
{
"password": "kirkpass123!",
"opendistro_security_roles": [ "mbb_ro_role", "kibana_read_only"]
}
You should tail the logs while logged in as user to see what permissions are required.
Here the request for .kibana index (originalRequested=[.kibana]), so we need to add this permission
opensearch-node2 | [2024-09-04T11:06:34,884][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node2] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/get]] [RolesChecked [mbb-ro-role, own_index]]
opensearch-dashboards | {"type":"log","@timestamp":"2024-09-04T09:06:34Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/get] and User [name=mbb-ro-user, backend_roles=[], requestedTenant=]"}
Request for logstash-nginx-access-logs-live* (originalRequested=[logstash-nginx-access-logs-live*]), so we add this as well
opensearch-node1 | [2024-09-04T11:08:39,048][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[logstash-nginx-access-logs-live01-frontend-services-i18n, logstash-nginx-access-logs-live02-frontend-services-i18n], types=[*], originalRequested=[logstash-nginx-access-logs-live*], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [mbb-ro-role, own_index]]