AWS OpenSearch give user read only access dashboard

Question

I am using aws OpenSearch to view real-time data analysis.

I am using Following roles to give my user read-only access to dashboard as mentioned here

kibana_user
kibana_read_only
read_only_index

But still the user can edit dashboard because of some permissions in "kibana_user" role. so i tried to make a duplicate role using OpenSearch build-in functionality and removed manage and delete permission from duplicated role and assign this role to my user. But this time the user is unable to view dashboard and dashboards list even if I don't removes manage and delete permission, I am getting the following error in browser

no permissions for [indices:data/read/search] and User [name=test-user-1, backend_roles=[], requestedTenant=]: security_exception

I tried giving "indices:data/read/search" this permission to role and many more but it didn't work. any solutions

score 1 · Answer 1 · answered Jan 28 '22 at 10:12

1

I used:

kibana_all_read
read

That seems to work, they can put the dashboard in edit mode, but can't save it.

answered Jan 28 '22 at 10:12

LostSoul

11
4

score 0 · Answer 2 · answered Mar 04 '22 at 08:29

The standard approach for a Read-Only Dashboard user is as follows:

Create a custom role for this type of user: my-readonly-role.
Add cluster_composite_ops_ro cluster permission.
Add any desired index patterns to restrict access: logs.*.
Add index privileges for read access: read, indices:admin/resolve/index.
Add Tenant patterns: My-Tenant
Add Tenant permissions: read, write
Map the following roles to desired users: my-readonly-role and opensearch_dashboards_read_only

Note: This was tested against OpenSearch version 1.1.

Create a Role (API)

Here is the API block that represents the above steps:

{
    "cluster_permissions": ["cluster_composite_ops_ro"],
    "index_permissions": [
        {
            "index_patterns": ["logs.*"],
            "dls": "",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": ["read", "indices:admin/resolve/index"]
        }
    ],
    "tenant_permissions": [
        {
            "tenant_patterns": ["My-Tenant"],
            "allowed_actions": ["read", "write"]
        }
    ]
}

This works for aws public domain opensearch but it fails in for opensearch domain created in a vpc — jathin sanghvi, Mar 29 '22 at 03:00
We have this deployed in a private VPC and it works just fine. Your configured method of authentication will need to be factored in, but that is beyond the scope of the original question. — Picciwig, Apr 15 '22 at 07:13
I have logged to the Opensearch dashboard as admin. I am not able to see the "opensearch_dashboards_read_only" in the roles list. May I know how can I find this role to map to my created internal user? — Soorya Prakash, Feb 06 '23 at 15:39

score 0 · Answer 3 · answered May 20 '22 at 11:04

0

Nothing of the above worked for me but this did.

I don't even know why and how.

answered May 20 '22 at 11:04

Omar Chaabouni

73
6

AWS OpenSearch give user read only access dashboard

3 Answers3