OpenSearch Dashboards Access Control Issue #9508

Pratiklahoti012 · 2025-03-10T05:44:16Z

Describe the bug

I'm experiencing a permissions error when accessing OpenSearch Dashboards with a user that has the read_only_role backend role from Keycloak. Despite configuring the appropriate roles and permissions according to documentation, I'm receiving a security exception.
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=<my-email>, backend_roles=[read_only_role, offline_access], requestedTenant=null]

To Reproduce
I've set up the OpenSearch cluster using the Operator with security configurations as shown in the attached YAML files. After deployment, I've created and configured additional roles through the OpenSearch Dashboards UI following the official documentation at Defining users and roles - OpenSearch Documentation.

Created backend roles in Keycloak and assigned them to users
Created corresponding roles in OpenSearch with appropriate permissions including indices_monitor
Mapped the Keycloak backend roles to OpenSearch roles
Verified that all the necessary permissions are included in the role definitions
Checked tenant configurations (noticing that requestedTenant=null in the error)
Verified that admin users can access the indexes without issues

Expected behavior
I expect users with the read_only_role backend role to be able to see all indexes starting with 'pra' in OpenSearch Dashboards without permission errors. Admin users can currently see all indexes without issues.

OpenSearch Version
2.19.0

Dashboards Version
2.19.0

Plugins

Please list all plugins currently enabled.

Screenshots

Host/Environment (please complete the following information):

OS: Linux VM
Browser and version : Tried with every browser in the latest version, it is the same.

Additional context

Add any other context about the problem here.

apiVersion: v1
kind: Secret
metadata:
  name: opensearch-securityconfig-secret
type: Opaque
stringData:
  action_groups.yml: |-
    _meta:
      type: "actiongroups"
      config_version: 2
  internal_users.yml: |-
    _meta:
      type: "internalusers"
      config_version: 2
    opensearch:
      hash: <>
      reserved: true
      backend_roles:
      - "admin"
      description: "Demo admin user"
    dashboarduser:
      hash: <>
      reserved: true
      description: "Demo OpenSearch Dashboards user"
  nodes_dn.yml: |-
    _meta:
      type: "nodesdn"
      config_version: 2
  whitelist.yml: |-
    _meta:
      type: "whitelist"
      config_version: 2
  tenants.yml: |-
    _meta:
      type: "tenants"
      config_version: 2
  roles_mapping.yml: |-
    _meta:
      type: "rolesmapping"
      config_version: 2
    all_access:
      reserved: false
      backend_roles:
      - "admin"
        "opensearch-admin"
      description: "Maps admin to all_access"
    own_index:
      reserved: false
      users:
      - "*"
      description: "Allow full access to an index named like the username"
    readall:
      reserved: false
      backend_roles:
      - "readall"
    manage_snapshots:
      reserved: false
      backend_roles:
      - "snapshotrestore"
    dashboard_server:
      reserved: true
      users:
      - "dashboarduser"
  roles.yml: |-
    _meta:
      type: "roles"
      config_version: 2
    dashboard_read_only:
      reserved: true
    security_rest_api_access:
      reserved: true
    # Allows users to view monitors, destinations and alerts
    alerting_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/alerting/alerts/get'
        - 'cluster:admin/opendistro/alerting/destination/get'
        - 'cluster:admin/opendistro/alerting/monitor/get'
        - 'cluster:admin/opendistro/alerting/monitor/search'
    # Allows users to view and acknowledge alerts
    alerting_ack_alerts:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/alerting/alerts/*'
    # Allows users to use all alerting functionality
    alerting_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster_monitor'
        - 'cluster:admin/opendistro/alerting/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices_monitor'
            - 'indices:admin/aliases/get'
            - 'indices:admin/mappings/get'
    # Allow users to read Anomaly Detection detectors and results
    anomaly_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/ad/detector/info'
        - 'cluster:admin/opendistro/ad/detector/search'
        - 'cluster:admin/opendistro/ad/detectors/get'
        - 'cluster:admin/opendistro/ad/result/search'
        - 'cluster:admin/opendistro/ad/tasks/search'
        - 'cluster:admin/opendistro/ad/detector/validate'
        - 'cluster:admin/opendistro/ad/result/topAnomalies'
    # Allows users to use all Anomaly Detection functionality
    anomaly_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster_monitor'
        - 'cluster:admin/opendistro/ad/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices_monitor'
            - 'indices:admin/aliases/get'
            - 'indices:admin/mappings/get'
    # Allows users to read Notebooks
    notebooks_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/notebooks/list'
        - 'cluster:admin/opendistro/notebooks/get'
    # Allows users to all Notebooks functionality
    notebooks_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/notebooks/create'
        - 'cluster:admin/opendistro/notebooks/update'
        - 'cluster:admin/opendistro/notebooks/delete'
        - 'cluster:admin/opendistro/notebooks/get'
        - 'cluster:admin/opendistro/notebooks/list'
    # Allows users to read observability objects
    observability_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/observability/get'
    # Allows users to all Observability functionality
    observability_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opensearch/observability/create'
        - 'cluster:admin/opensearch/observability/update'
        - 'cluster:admin/opensearch/observability/delete'
        - 'cluster:admin/opensearch/observability/get'
    # Allows users to read and download Reports
    reports_instances_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'
    # Allows users to read and download Reports and Report-definitions
    reports_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/definition/get'
        - 'cluster:admin/opendistro/reports/definition/list'
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'
    # Allows users to all Reports functionality
    reports_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/reports/definition/create'
        - 'cluster:admin/opendistro/reports/definition/update'
        - 'cluster:admin/opendistro/reports/definition/on_demand'
        - 'cluster:admin/opendistro/reports/definition/delete'
        - 'cluster:admin/opendistro/reports/definition/get'
        - 'cluster:admin/opendistro/reports/definition/list'
        - 'cluster:admin/opendistro/reports/instance/list'
        - 'cluster:admin/opendistro/reports/instance/get'
        - 'cluster:admin/opendistro/reports/menu/download'
    # Allows users to use all asynchronous-search functionality
    asynchronous_search_full_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/asynchronous_search/*'
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:data/read/search*'
    # Allows users to read stored asynchronous-search results
    asynchronous_search_read_access:
      reserved: true
      cluster_permissions:
        - 'cluster:admin/opendistro/asynchronous_search/get'
    # Allows user to use all index_management actions - ism policies, rollups, transforms
    index_management_full_access:
      reserved: true
      cluster_permissions:
        - "cluster:admin/opendistro/ism/*"
        - "cluster:admin/opendistro/rollup/*"
        - "cluster:admin/opendistro/transform/*"
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - 'indices:admin/opensearch/ism/*'
    # Allows users to use all cross cluster replication functionality at leader cluster
    cross_cluster_replication_leader_full_access:
      reserved: true
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - "indices:admin/plugins/replication/index/setup/validate"
            - "indices:data/read/plugins/replication/changes"
            - "indices:data/read/plugins/replication/file_chunk"
    # Allows users to use all cross cluster replication functionality at follower cluster
    cross_cluster_replication_follower_full_access:
      reserved: true
      cluster_permissions:
        - "cluster:admin/plugins/replication/autofollow/update"
      index_permissions:
        - index_patterns:
            - '*'
          allowed_actions:
            - "indices:admin/plugins/replication/index/setup/validate"
            - "indices:data/write/plugins/replication/changes"
            - "indices:admin/plugins/replication/index/start"
            - "indices:admin/plugins/replication/index/pause"
            - "indices:admin/plugins/replication/index/resume"
            - "indices:admin/plugins/replication/index/stop"
            - "indices:admin/plugins/replication/index/update"
            - "indices:admin/plugins/replication/index/status_check"
  config.yml: |-
    _meta:
      type: "config"
      config_version: "2"
    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: "4"
            http_authenticator:
              type: basic
              challenge: true
            authentication_backend:
              type: intern
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: <>
            authentication_backend:
              type: noop

apiVersion: opensearch.opster.io/v1
kind: OpenSearchCluster
metadata:
  name: opensearch-cluster
spec:
  confMgmt:
    smartScaler: true
  bootstrap:
    resources:
      requests:
        memory: "1Gi"
        cpu: "1000m"
      limits:
        memory: "2Gi"
        cpu: "2000m"
  initHelper:
    resources:
      requests:
        memory: "1Gi"
        cpu: "1000m"
      limits:
        memory: "2Gi"
        cpu: "2000m"
  dashboards:
    additionalConfig:
      opensearch_security.auth.type: openid
      opensearch_security.multitenancy.enabled: "true"
      opensearch_security.openid.connect_url: <>
      opensearch_security.openid.base_redirect_url: <>
      opensearch_security.openid.client_id: <>
      opensearch_security.openid.client_secret: <>
      opensearch_security.openid.scope: openid profile email
      opensearch_security.openid.header: Authorization
      opensearch_security.openid.verify_hostnames: "false"
      opensearch_security.openid.trust_dynamic_headers: "true"
    podSecurityContext:
      runAsUser: 1000
    securityContext:
      runAsUser: 1000
    enable: true
    opensearchCredentialsSecret:
      name: opensearch-itnb-admin-credentials
    replicas: 1
    resources:
      requests:
        memory: "1Gi"
        cpu: "1000m"
      limits:
        memory: "2Gi"
        cpu: "2000m"
    service:
      type: ClusterIP
    tls:
      enable: true
      generate: true
    version: 2.19.0
  general:
    podSecurityContext:
      runAsUser: 1000
    securityContext:
      runAsUser: 1000
    drainDataNodes: true
    httpPort: 9200
    version: 2.19.0
  nodePools:
    - component: masters
      pdb:
        enable: true
        minAvailable: 1
      replicas: 3
      diskSize: "3Gi"
      resources:
        requests:
          memory: "1Gi"
          cpu: "1000m"
        limits:
          memory: "2Gi"
          cpu: "2000m"
      roles:
        - data
        - cluster_manager
  security:
    config:
      adminCredentialsSecret:
        name: <>
      securityConfigSecret:
        name: <>
      updateJob:
        resources:
          requests:
            memory: "1Gi"
            cpu: "1000m"
          limits:
            memory: "2Gi"
            cpu: "2000m"
    tls:
      http:
        generate: true
      transport:
        generate: true
        perNode: true

The text was updated successfully, but these errors were encountered:

Pratiklahoti012 added bug untriaged labels Mar 10, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OpenSearch Dashboards Access Control Issue #9508

OpenSearch Dashboards Access Control Issue #9508

Pratiklahoti012 commented Mar 10, 2025

OpenSearch Dashboards Access Control Issue #9508

OpenSearch Dashboards Access Control Issue #9508

Comments

Pratiklahoti012 commented Mar 10, 2025