search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
180 stars 263 forks source link

[BUG] Role opensearch_dashboards_read_only + index read permissions isn't sufficient to view Dashboard Page, 403 #4496

Open kpolicar opened 3 days ago

kpolicar commented 3 days ago

What is the bug? 403 Forbidden error when attempting to open a dashboard page that performs an index search. The user has been granted read permission for this index.

How can one reproduce the bug? Steps to reproduce the behavior:

  1. Create index pattern: **example-***
  2. Create dashboard that searches the index pattern **example-***
  3. Create internal user: example_user
  4. Map example_user to opensearch_dashboards_read_only role (Reference)
  5. Create role example_role with following properties:
    • Cluster permissions: cluster_composite_ops_ro (Reference)
    • Index permissions:
      • example-*: read
    • Tenant permissions: global_tenant: read
  6. Login with example_user, attempt to access the dashboard
  7. Error: page doesn't load

What is the expected behavior? The user has been granted the permission, the dashboard page should load.

What is your host/environment?

Temporary solution Grant the user read permission on the .kibana and .opensearch_dashboards index patterns.

Do you have any screenshots? Screenshots depict a dashboard that queries the datastream demo-logs-kubernetes Before applying temporary solution: image After applying temporary solution: image opensearch_dashboards_user compared to opensearch_dashboards_read_only image

I would expect these permissions be granted as part of the opensearch_dashboards_read_only role