From 46d4598ac94feb4b43f6f75c9e4da2ae44dc024f Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 11:04:21 -0500 Subject: [PATCH 01/21] testing out reporting change --- .../templates/config/opensearch-security/roles.yml.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 1ba20db2..32b1340e 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -370,6 +370,9 @@ cf_user: - "read" - "cluster:monitor/nodes/stats" - "cluster:monitor/task/get" + reporting_permissions: + - privileges: + - "run" index_permissions: - index_patterns: - "logs-app-*" From e86d83b1833913c758b11eb114f7d4df3b6a2639 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 11:18:09 -0500 Subject: [PATCH 02/21] testing out permissions --- .../templates/config/opensearch-security/roles.yml.erb | 3 --- .../templates/config/opensearch-security/roles_mapping.yml.erb | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 32b1340e..1ba20db2 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -370,9 +370,6 @@ cf_user: - "read" - "cluster:monitor/nodes/stats" - "cluster:monitor/task/get" - reporting_permissions: - - privileges: - - "run" index_permissions: - index_patterns: - "logs-app-*" diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index d23ec5c4..344c13ad 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -48,6 +48,7 @@ cf_user: hidden: false backend_roles: - "user" + - "reports_full_access" hosts: [] users: [] and_backend_roles: [] From 74f5ccaaaa2c2a65b2789a80232c70e282d73576 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 11:54:27 -0500 Subject: [PATCH 03/21] seeing if fixes --- .../templates/config/opensearch-security/roles_mapping.yml.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index 344c13ad..d23ec5c4 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -48,7 +48,6 @@ cf_user: hidden: false backend_roles: - "user" - - "reports_full_access" hosts: [] users: [] and_backend_roles: [] From 8e0041cfb4d15430a4718291e361b4a87bea5740 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 12:15:00 -0500 Subject: [PATCH 04/21] seeing if its a roles issue --- .../templates/config/opensearch-security/roles_mapping.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index d23ec5c4..344c13ad 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -48,6 +48,7 @@ cf_user: hidden: false backend_roles: - "user" + - "reports_full_access" hosts: [] users: [] and_backend_roles: [] From 2a8df264dfada1a5887df04b98c7133ac7133fd7 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 12:32:30 -0500 Subject: [PATCH 05/21] trying lower values --- .../templates/config/opensearch-security/roles_mapping.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index 344c13ad..30f72ef1 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -48,7 +48,7 @@ cf_user: hidden: false backend_roles: - "user" - - "reports_full_access" + - "reports_instances_read_access" hosts: [] users: [] and_backend_roles: [] From e49850765558d7a6744b439a1d7861cfe20b0b58 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 13:35:08 -0500 Subject: [PATCH 06/21] seeing what happens --- .../templates/config/opensearch-security/roles_mapping.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index 30f72ef1..436d6d80 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -39,7 +39,7 @@ logstash: kibana_user: reserved: false backend_roles: - - "kibanauser" + - "kibana_read_only" - "user" description: "Maps kibanauser to kibana_user" From 06b87cdb41c779d6c32c6e725162629326d4a586 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 13:52:48 -0500 Subject: [PATCH 07/21] seeing what happens --- .../config/opensearch-security/roles_mapping.yml.erb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index 436d6d80..6cb11bc1 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -36,13 +36,6 @@ logstash: backend_roles: - "logstash" -kibana_user: - reserved: false - backend_roles: - - "kibana_read_only" - - "user" - description: "Maps kibanauser to kibana_user" - cf_user: reserved: true hidden: false From 3876ab7e1f6bc9066c5405a2ab12f54306b52828 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 14:42:14 -0500 Subject: [PATCH 08/21] fixing --- .../config/opensearch-security/roles_mapping.yml.erb | 8 +++++++- jobs/upload_tenant/templates/bin/run.sh | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index 6cb11bc1..d23ec5c4 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -36,12 +36,18 @@ logstash: backend_roles: - "logstash" +kibana_user: + reserved: false + backend_roles: + - "kibanauser" + - "user" + description: "Maps kibanauser to kibana_user" + cf_user: reserved: true hidden: false backend_roles: - "user" - - "reports_instances_read_access" hosts: [] users: [] and_backend_roles: [] diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index b29c3a2d..8ffeee1a 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_all_write"]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From 1779f17329ef4b7ad3b1f515611bd487c528a41d Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 14:49:56 -0500 Subject: [PATCH 09/21] adding in dashboard permission --- jobs/upload_tenant/templates/bin/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index 8ffeee1a..abd2763c 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user_with_dashboard_create_permission]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From 68ec17c759ce8e5fea28b87491fe28ee48da9b62 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 15:40:45 -0500 Subject: [PATCH 10/21] fixing roles --- .../templates/config/opensearch-security/roles.yml.erb | 1 + jobs/upload_tenant/templates/bin/run.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 1ba20db2..677fd17c 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -377,5 +377,6 @@ cf_user: fls: allowed_actions: - "read" + - "create" tenant_permissions: [] static: false diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index abd2763c..11e5738f 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user_with_dashboard_create_permission]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user"]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From 5dc5cc8ef35efde54db56a1ffd17f2d2baa44457 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 20:44:49 -0500 Subject: [PATCH 11/21] updating with perimssions --- .../templates/config/opensearch-security/roles.yml.erb | 7 +++++++ jobs/upload_tenant/templates/bin/run.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 677fd17c..c200a711 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -378,5 +378,12 @@ cf_user: allowed_actions: - "read" - "create" + - 'indices:data/read/get' + - 'indices:data/read/search' + - 'indices:data/write/bulk' + - 'indices:data/write/index' + - 'indices:data/write/update' + - 'indices:admin/mappings/get' + - 'indices:admin/get' tenant_permissions: [] static: false diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index 11e5738f..459c8cc3 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user"]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user","indices:data/read/get","indices:data/read/search","indices:data/write/bulk","indices:data/write/index","indices:data/write/update","indices:admin/mappings/get","indices:admin/get"]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From d34ba61c97a11ea16e25ff73bf1304bcd1f7ea2a Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 21:18:01 -0500 Subject: [PATCH 12/21] updated to be closer --- .../templates/config/opensearch-security/roles.yml.erb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index c200a711..677fd17c 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -378,12 +378,5 @@ cf_user: allowed_actions: - "read" - "create" - - 'indices:data/read/get' - - 'indices:data/read/search' - - 'indices:data/write/bulk' - - 'indices:data/write/index' - - 'indices:data/write/update' - - 'indices:admin/mappings/get' - - 'indices:admin/get' tenant_permissions: [] static: false From c4a1cb3a82adb353fa341c4b0d43cb2e3703fa69 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 22:42:27 -0500 Subject: [PATCH 13/21] getting funky with it --- .../config/opensearch-security/roles.yml.erb | 16 ++++++++++++++++ jobs/upload_tenant/templates/bin/run.sh | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 677fd17c..053e460e 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -378,5 +378,21 @@ cf_user: allowed_actions: - "read" - "create" + - index_patterns: + - ".kibana*" + - ".opensearch_dashboards" + alllowed_actions + - "indices:data/read/get" + - "indices:data/read/mget" + - "indices:data/read/search" + - "indices:data/write/delete" + - "indices:data/write/bulk" + - "indices:data/write/index" + - "indices:data/write/update" + - "indices:admin/mappings/get" + - "indices:admin/get" + - "indices:admin/refresh" + - "indices:admin/aliases/get" + - "indices:admin/create", tenant_permissions: [] static: false diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index 459c8cc3..11e5738f 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user","indices:data/read/get","indices:data/read/search","indices:data/write/bulk","indices:data/write/index","indices:data/write/update","indices:admin/mappings/get","indices:admin/get"]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user"]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From 8d90c6ebe82219162bb356612869271d0e46d764 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Wed, 4 Dec 2024 22:46:44 -0500 Subject: [PATCH 14/21] broke it --- .../templates/config/opensearch-security/roles.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 053e460e..bc256899 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -393,6 +393,6 @@ cf_user: - "indices:admin/get" - "indices:admin/refresh" - "indices:admin/aliases/get" - - "indices:admin/create", + - "indices:admin/create" tenant_permissions: [] static: false From 3d36d3c6dd6a2930d6379f93af67aa5745aa633e Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 09:45:22 -0500 Subject: [PATCH 15/21] attempt at roles --- .../templates/config/opensearch-security/roles.yml.erb | 6 +++--- .../config/opensearch-security/roles_mapping.yml.erb | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index bc256899..3005e16c 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -380,8 +380,8 @@ cf_user: - "create" - index_patterns: - ".kibana*" - - ".opensearch_dashboards" - alllowed_actions + - ".opensearch_dashboards*" + alllowed_actions: - "indices:data/read/get" - "indices:data/read/mget" - "indices:data/read/search" @@ -393,6 +393,6 @@ cf_user: - "indices:admin/get" - "indices:admin/refresh" - "indices:admin/aliases/get" - - "indices:admin/create" + - "indices:admin/create" tenant_permissions: [] static: false diff --git a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb index d23ec5c4..7723ff30 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles_mapping.yml.erb @@ -53,6 +53,16 @@ cf_user: and_backend_roles: [] description: "CF users with privileges to their own spaces" +reports_full_access: + reserved: true + hidden: false + backend_roles: + - "user" + hosts: [] + users: [] + and_backend_roles: [] + description: "CF users with report access" + readall: reserved: false users: From 9304d1f33bc6f6a73f870498ef89487ae1a0e820 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 10:25:55 -0500 Subject: [PATCH 16/21] adding security tab? --- jobs/opensearch/templates/config/config.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/jobs/opensearch/templates/config/config.yml.erb b/jobs/opensearch/templates/config/config.yml.erb index c68ee090..ce94fe99 100644 --- a/jobs/opensearch/templates/config/config.yml.erb +++ b/jobs/opensearch/templates/config/config.yml.erb @@ -21,6 +21,7 @@ plugins.security.nodes_dn: <% end %> <% end %> +plugins.security.restapi.roles_enabled: ["all_access"] <% if_p('opensearch.node.ssl.certificate') do %> plugins.security.ssl.transport.enforce_hostname_verification: false plugins.security.ssl.transport.pemkey_filepath: ssl/opensearch-node.key From 24a651ef368157fdb860b920b3fb595c974e7621 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 10:35:13 -0500 Subject: [PATCH 17/21] jason vs typos --- .../templates/config/opensearch-security/roles.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 3005e16c..24e42f60 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -381,7 +381,7 @@ cf_user: - index_patterns: - ".kibana*" - ".opensearch_dashboards*" - alllowed_actions: + allowed_actions: - "indices:data/read/get" - "indices:data/read/mget" - "indices:data/read/search" From f096df5dd0edbb7d794d51499c8094db57b9ddb6 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 11:23:59 -0500 Subject: [PATCH 18/21] giving wanted roles --- .../templates/config/opensearch-security/roles.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 24e42f60..d6c7b774 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -184,6 +184,7 @@ reports_full_access: - 'cluster:admin/opendistro/reports/instance/list' - 'cluster:admin/opendistro/reports/instance/get' - 'cluster:admin/opendistro/reports/menu/download' + - 'cluster:admin/opensearch/ql/datasources/read' # Allows users to use all asynchronous-search functionality asynchronous_search_full_access: From c8b8399757aa192f511bc8fd63dc6dd6fc73f525 Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 12:11:04 -0500 Subject: [PATCH 19/21] adding in needed permissions --- jobs/upload_tenant/templates/bin/run.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index 11e5738f..3cc76122 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_user"]}]}' + -H 'Content-Type: application/json' -d'{"index_permissions":[{"index_patterns":["logs-app-*"],"allowed_actions":["indices:monitor/settings/get"]}],"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_all_write"]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \ From 91946bd8712f00cb784243b625f260932a51a44f Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 12:28:04 -0500 Subject: [PATCH 20/21] adding in security feature and reporting --- .../config/opensearch-security/roles.yml.erb | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index d6c7b774..1ba20db2 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -184,7 +184,6 @@ reports_full_access: - 'cluster:admin/opendistro/reports/instance/list' - 'cluster:admin/opendistro/reports/instance/get' - 'cluster:admin/opendistro/reports/menu/download' - - 'cluster:admin/opensearch/ql/datasources/read' # Allows users to use all asynchronous-search functionality asynchronous_search_full_access: @@ -378,22 +377,5 @@ cf_user: fls: allowed_actions: - "read" - - "create" - - index_patterns: - - ".kibana*" - - ".opensearch_dashboards*" - allowed_actions: - - "indices:data/read/get" - - "indices:data/read/mget" - - "indices:data/read/search" - - "indices:data/write/delete" - - "indices:data/write/bulk" - - "indices:data/write/index" - - "indices:data/write/update" - - "indices:admin/mappings/get" - - "indices:admin/get" - - "indices:admin/refresh" - - "indices:admin/aliases/get" - - "indices:admin/create" tenant_permissions: [] static: false From 3110cd5331230e9c170db90cdd72e06960c76dca Mon Sep 17 00:00:00 2001 From: "Jason A. Gambino" Date: Thu, 5 Dec 2024 12:39:57 -0500 Subject: [PATCH 21/21] removing perm from tenant and giving to user --- .../templates/config/opensearch-security/roles.yml.erb | 1 + jobs/upload_tenant/templates/bin/run.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb index 1ba20db2..21889d81 100644 --- a/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb +++ b/jobs/opensearch/templates/config/opensearch-security/roles.yml.erb @@ -377,5 +377,6 @@ cf_user: fls: allowed_actions: - "read" + - "indices:monitor/settings/get" tenant_permissions: [] static: false diff --git a/jobs/upload_tenant/templates/bin/run.sh b/jobs/upload_tenant/templates/bin/run.sh index 3cc76122..b29c3a2d 100644 --- a/jobs/upload_tenant/templates/bin/run.sh +++ b/jobs/upload_tenant/templates/bin/run.sh @@ -28,7 +28,7 @@ curl -X PUT \ curl -X PUT \ ${CA} ${CERT} ${KEY} \ -s https://localhost:9200/_plugins/_security/api/roles/${org}-tenant \ - -H 'Content-Type: application/json' -d'{"index_permissions":[{"index_patterns":["logs-app-*"],"allowed_actions":["indices:monitor/settings/get"]}],"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_all_write"]}]}' + -H 'Content-Type: application/json' -d'{"tenant_permissions":[{"tenant_patterns": ['"${org_quoted}"'],"allowed_actions": ["kibana_all_write"]}]}' curl -X PUT \ ${CA} ${CERT} ${KEY} \