diff --git a/_security/multi-tenancy/multi-tenancy-config.md b/_security/multi-tenancy/multi-tenancy-config.md index a4da35d6e9..82e63cf3ba 100644 --- a/_security/multi-tenancy/multi-tenancy-config.md +++ b/_security/multi-tenancy/multi-tenancy-config.md @@ -27,7 +27,7 @@ config: | `multitenancy_enabled` | Enable or disable multi-tenancy. Default is `true`. | | `private_tenant_enabled` | Enable or disable the private tenant. Default is `true`. | | `default_tenant` | Use to set the tenant that is available when users log in. | -| `server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. | +| `server_username` | Must match the name of the OpenSearch Dashboards server user from `opensearch_dashboards.yml`. Default is `kibanaserver`. If a different user is configured, make sure this user is mapped to `kibana_server` role via `role_mappings.yml` file, to give the appropriate permissions listed in [kibana_server role details]({{site.url}}{{site.baseurl}}/security/multi-tenancy/multi-tenancy-config/#kibana_server-role-details) | | `index` | Must match the name of the OpenSearch Dashboards index from `opensearch_dashboards.yml`. Default is `.kibana`. | | `do_not_fail_on_forbidden` | When `true`, the Security plugin removes any content that a user is not allowed to see from the search results. When `false`, the plugin returns a security exception. Default is `false`. | @@ -149,3 +149,93 @@ The Security plugin scrubs these index names of special characters, so they migh {: .tip } To back up your OpenSearch Dashboards data, [take a snapshot]({{site.url}}{{site.baseurl}}/opensearch/snapshots/snapshot-restore/) of all tenant indexes using an index pattern such as `.kibana*`. + +## `kibana_server` role details + +`kibana_server` role is used by OpenSearch Dashboards to perform necessary operations on OpenSearch. By default `kibanauser` is mapped to this role via `role_mappings.yml`. You can view the full list of permissions assigned to this role by running `GET` request on `_plugins/_security/api/roles/kibana_server` API using admin certificate, key and certificate authority file. +Following is the full list of permissions assigned to this role: + +``` +{ + "kibana_server" : { + "reserved" : true, + "hidden" : false, + "description" : "Provide the minimum permissions for the Kibana server", + "cluster_permissions" : [ + "cluster_monitor", + "cluster_composite_ops", + "manage_point_in_time", + "indices:admin/template*", + "indices:admin/index_template*", + "indices:data/read/scroll*" + ], + "index_permissions" : [ + { + "index_patterns" : [ + ".kibana", + ".opensearch_dashboards" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices_all" + ] + }, + { + "index_patterns" : [ + ".kibana-6", + ".opensearch_dashboards-6" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices_all" + ] + }, + { + "index_patterns" : [ + ".kibana_*", + ".opensearch_dashboards_*" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices_all" + ] + }, + { + "index_patterns" : [ + ".tasks" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices_all" + ] + }, + { + "index_patterns" : [ + ".management-beats*" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices_all" + ] + }, + { + "index_patterns" : [ + "*" + ], + "fls" : [ ], + "masked_fields" : [ ], + "allowed_actions" : [ + "indices:admin/aliases*" + ] + } + ], + "tenant_permissions" : [ ], + "static" : true + } +} +```