Read Only Dashboard User Role causes Forbidden Errors on visualizations on a doashboard with tenants enabled

[inf17101]

If you create a Read Only Role according to the documentation (https://opensearch.org/docs/latest/security-plugin/access-control/users-roles/#set-up-a-read-only-user-in-opensearch-dashboards) then a "Forbidden" error is thrown of some visualizations.

If you create a read only user with the documentated role settings some visualizations on a dashoard shows an errror.
If you hit multiple times CTRL + F5, the visualization loads correct but other visualizations show this error instead.

To Reproduce
Steps to reproduce the behavior:

1. Create a Read Only Dashboard User according to the Opensearch documentation
2. Create a Tenant
3. Create some dashboards
4. Log in with the user into the tenant

Expected behavior
A clear and concise description of what you expected to happen.

OpenSearch Version
1.2.2

Dashboards Version
1.2.0

Plugins

Please list all plugins currently enabled.
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• Opensearch and Opensearch Dashboards are running on Linux Ubuntu Server 20.04
• Win10 / Chrome Version 98.0.4758.102

Additional Information
Sometimes you can see the following exception in the log:
{"type":"log","@timestamp":"2022-03-07T10:27:06Z","tags":["error","opensearch","data"],"pid":338569,"message":"[security_exception]: no permissions for [indices:data/read/search] and User [name=eagle_01, backend_roles=[], requestedTenant=null]"}

It is very confusing that "requestedTenant" for such a request is empty, because multi tenancy is enabled. And the user has full read only permissions according to documentation.

[kavilla]

Hello @inf17101, thank you for opening! Re-routing to the security plugin repo for more insight.

[peternied]

@jimishs Do you know if we have an update on this issue?

[jimishs]

@inf17101 Could you share whether the said user has the right index permissions to the indices that are being visualized?

From the error above i see that the said user may not have read permissions on the index being visualized.

[zydyka]

I join the problem, I also have multitenancy, and several indexes for which only reading and filtering at the document level are configured. in discover, i can see everything as needed. in the dashboard, some panels are "Forbidden" or "The request for this panel failed", which change if the page is refreshed
opendistro 7.10.2

[omar-chaabouni]

Try this,

[jseiser]

We are dealing with this now on Opensearch 1.2

Using the above setup, the users can login but they get an empty top left menu. The only way users can actually see the discover section of the Kibana menu is if they are in the security_manager group. Which then lets them change the group itself, which is not good.

[nibix]

See opensearch-project/security#2701 (comment) for a analysis of the dashboards read only functionality.

Regarding the configuration shown at #916 (comment) : This seems to achieve a read only tenant, but it is wrong on two levels:

• The action group opensearch_dashboards_all_read does not exist. It is still called kibana_all_read: https://github.com/opensearch-project/security/blob/main/src/main/resources/static_config/static_action_groups.yml
• This action group must be configured as a tenant permission, but not as an index permission. As an index permission, it would not have any effect.

Regarding the randomly appearing Forbidden error: My gut feeling is that there is another issue interfering as well. This would need more thorough information for analysing and reproducing the issue like user and role config and more context from the logs.