[BUG] CSV exports dont work for non-admin users (and other report functions).

[camAtGitHub]

Describe the bug
CSV exports dont work for non-admin users (and other report functions).
We are using opensearch with security applied to indexes for different business groups etc - only a few people are OpenSeach (OS) admins. The non-admin users can't generate a CSV export.

I believe this is a permissions issue and I have corrected and progressed the error (ie. now a different error) but it's still not working.
One issue I found is the roles reports_full_access, reports_read_access & reports_instances_read_access all reference 'opendistro' permissions. ie. cluster:admin/opendistro/reports/definition/get [^1]
I noticed this due to the permission error message:

[2021-11-09T12:28:13,098][INFO ][o.o.s.p.PrivilegesEvaluator] [server2] No cluster-level perm match for User [name=camtest, backend_roles=[], requestedTenant=NetSupport] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [cluster:admin/opensearch/reports/definition/list]] [RolesChecked [acme_ldap_elastic_netsupp, reports_full_access, kibana_user]]. No permissions for [cluster:admin/opensearch/reports/definition/list]

I ended up creating new action groups (AG) like the reporting AGs but replacing opendistro with opensearch - That helped a bit.
The next error was:

[2021-11-09T12:06:38,112][INFO ][o.o.s.p.PrivilegesEvaluator] [server2] No index-level perm match for User [name=camtest, backend_roles=[], requestedTenant=NetSupport] Resolved [aliases=[syslog], allIndices=[.ds-syslog-import-2021-000004, .ds-syslog-import-2020-000001, .ds-syslog-import-2021-000002, .ds-syslog-import-2021-000003, .ds-syslog-import-2021-000001, .ds-syslog-2021-10-000001, .ds-syslog-2021-000001], types=[*], originalRequested=[syslog], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [os_reports_instances_read_access, acme_ldap_elastic_netsupp, kibana_user]]

But adding indices:monitor/settings/get level permissions doesn't help as the error message continues even after logging out and purging security caches etc.
I susseqentily added a bunch of AGs in a troubleshooting attempt [^2] which didnt help, I think the error has gone after the additional AGs and the current error message is:
[2021-11-09T13:11:21,568][DEPRECATION][o.o.d.c.m.IndexNameExpressionResolver] [server2] this request accesses system indices: [.opendistro_security, .tasks], but in a future major version, direct access to system indices will be prevented by defaut
I believe it's caused by the reporting plugin but can't be 100% certain as it spams the error log every 1 minutes + a few seconds drift

To Reproduce
Steps to reproduce the behavior:

1. Create data series indexes
2. Create non-admin users with limited permissions.
3. Save a search in GUI.
4. Attempt to export search to CSV file.
5. Fail with error: Error generating report. Insufficient permissions. Reach out to your OpenSearch Dashboards administrator.

Expected behavior
A clear and concise description of what you expected to happen.

Plugins
Default from 1.1.0 docker build

Screenshots
n/a

Host/Environment (please complete the following information):
Server: docker v1.1.0 build
Client: Windows 10 x64 - Firefox v94.01

Additional context

• This build was running opensearch v1.0.0 then upgraded to 1.1.0 when it came out - possibly a migration step was over looked?
• Not sure if it worked for non-admin users on v.1.0.0.0
• We also only use dataseries index types. These seem to not have as much testing performed against them during the plugin development cycle(?).

[^1:] Role permissions

#reports_full_access
cluster:admin/opendistro/reports/definition/create
cluster:admin/opendistro/reports/definition/update
cluster:admin/opendistro/reports/definition/on_demand
cluster:admin/opendistro/reports/definition/delete
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download
		
#reports_read_access & reports_instances_read_access
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download
	
#reports_read_access
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

[^2:] Additonal Action Groups attempted in addition to the above group[^1]

indices_monitor
manage_data_streams
data_access
search
get
read

[zhongnansu]

Hi, this issue has been fixed in #218, and it will be avaialble in 1.2 release. It was a naming mistake during migration, the permissions should be prefixed in opendistro, but it was changed to use opensearch. There's a workaround if you create some permissions/roles by admin user, using opensearch. Otherwise, wait for the 1.2 release and update
@camAtGitHub

[camAtGitHub]

@zhongnansu - any pointers to the current work around permissions would be appreciated.
nvm - i can wait a week :-)