[BUG] Global tenant requires '.kibana*' and '.opensearch_dashboards*' read index permission

[FrcMoya]

Describe the bug

For the global tenant it is mandatory to give to the rol associated to the user the ReadOnly for the tenant and the read permission to this indices:

• .kibana*
• .opensearch_dashboards*

For the other created tenants it is no necessary these index permissions, it is enough to give ReadOnly for the tenant.

To Reproduce Describe above

Expected behavior The global tenant should behave like the other tenants because the current behaviour is strange and not consistent with the other permissions.

OpenSearch Version AWS managed cluster. Version 2.11.0

Dashboards Version 2.11.0

[kavilla]

@opensearch-project/admin please re-direct to security dashboards repo.

[derek-ho]

[Triage] - @FrcMoya would you be able to provide some more information about your issue/setup - permissions/mappings for a tenant that you think is working correctly? Once we understand more about your setup we can see if it is a bug or misconfiguration, thanks! Not marking this as triaged just yet.

[stephen-crawford]

[Triage] Hi @FrcMoya just following up. If we don't hear from you I will go ahead and close this as an expected misconfiguration. Thanks.

[FrcMoya]

Hi everyone, I will try to explain this using some screenshots.

On one hand, if you want to allow a role (internal role inside OpenSearch) read only (it is my particular case) to the global tenant it is mandatory to at least give them permission to _readonly in the global tenant plus these indexes:

On the other hand, if you want to allow a role permissions to any other tenant created by the OpenSearch Dashboards administrator (a custom tenant), it is no mandatory to give permissions to any indexes in particular, it is only necessary the read only permission in the corresponding tenant:

For me this is a strange behavior and it is not documented, it was a trial and error process until I got the configuration I needed. If all this configuration is correct and the behavior is expected, I believe it is necessary to document it, since they are not obvious requirements.