Table of Contents
Creating Opensearch Dashboards users
This user will only see the dashboards and visualizations and will not have any other access. Make sure that you have set
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
in /usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
You can do it 3 ways.
UI
You can use UI and create new users then assign roles to this user in Management>Security>Internal users. If you are using Docker and the volume is deleted obviously this will not persist.
Config files
Another way is to add the users directly in config file /usr/share/opensearch/config/opensearch-security/internal_users.yml:
readall: hash: "xxxxxxxxxxxxxxxxxxxxxxxxxee" reserved: false opendistro_security_roles: - "mbb_ro_role" - "kibana_read_only" description: "readall user, using custom role"
Create the role(s) (opensearch already provides the kibana_read_only by default) in roles.yml:
mbb_ro_role: reserved: false cluster_permissions: - "cluster_composite_ops_ro" index_permissions: - index_patterns: - ".kibana*" - "logstash-nginx-access-logs-*" allowed_actions: - "read" - "indices:admin/resolve/index" - "cluster:admin/opensearch/ql/datasources/read" - "indices:data/read/search" tenant_permissions: - tenant_patterns: - "global_tenant" allowed_actions: - "read" - "write"
Then we need to map the role to user in roles_mapping.yml:
mbb_ro_role: reserved: false users: - "readall"
If the Opensearch is already running and you add the above in config files you need to run the securityadmin.sh (which will be deprecated in the next major release https://github.com/opensearch-project/security/issues/1755)
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -cd ../../../config/opensearch-security/ -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
Take care when running this because any users created through web UI will be destroyed (https://opensearch.org/docs/latest/security/configuration/security-admin/#a-word-of-caution) as the command will apply changes from the config files. Make a backup first with
cd /usr/share/opensearch/plugins/opensearch-security/tools/ && ./securityadmin.sh -backup my-backup -icl -nhnv -cacert ../../../config/root-ca.crt -cert ../../../config/admin.pem -key ../../../config/admin-key.pem
then add the user to internal_users.yml file.
API
Create the role:
PUT _plugins/_security/api/roles/mbb_ro_role { "cluster_permissions": ["cluster_composite_ops_ro"], "index_permissions": [ { "index_patterns": [".kibana*", "logstash-nginx-access-logs-*"], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": ["read", "indices:admin/resolve/index", "cluster:admin/opensearch/ql/datasources/read", "indices:data/read/search" ] } ], "tenant_permissions": [ { "tenant_patterns": ["global_tenant"], "allowed_actions": ["read", "write"] } ] }
Index pattern has to contain kibana indexes, the second pattern should be your index name (or datastream name(s))
Now we create a user and map roles (we also need to map predefined kibana_read_only role to our user)
PUT _plugins/_security/api/internalusers/tstuser { "password": "kirkpass123!", "opendistro_security_roles": [ "mbb_ro_role", "kibana_read_only"] }
Troubleshooting
You should tail the logs while logged in as user to see what permissions are required.
Here the request for .kibana index (originalRequested=[.kibana]), so we need to add this permission
opensearch-node2 | [2024-09-04T11:06:34,884][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node2] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/get]] [RolesChecked [mbb-ro-role, own_index]] opensearch-dashboards | {"type":"log","@timestamp":"2024-09-04T09:06:34Z","tags":["error","opensearch","data"],"pid":1,"message":"[security_exception]: no permissions for [indices:data/read/get] and User [name=mbb-ro-user, backend_roles=[], requestedTenant=]"}
Request for logstash-nginx-access-logs-live* (originalRequested=[logstash-nginx-access-logs-live*]), so we add this as well
opensearch-node1 | [2024-09-04T11:08:39,048][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No index-level perm match for User [name=mbb-ro-user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[logstash-nginx-access-logs-live01-frontend-services-i18n, logstash-nginx-access-logs-live02-frontend-services-i18n], types=[*], originalRequested=[logstash-nginx-access-logs-live*], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [mbb-ro-role, own_index]]
Tested on
- Opensearch 2.15