The kibana_user role previously granted index-level permissions on .kibana_*,
.kibana-6, .opensearch_dashboards_*, .opensearch_dashboards-6, .tasks, and
.management-beats. These are unnecessary for the standard Dashboards UI flow.
The PrivilegesInterceptor (legacy) and DashboardsMultitenancySystemIndexHandler
(nextgen) handle tenant access entirely through the .kibana alias rewrite and
DocumentAllowList thread context mechanism:
1. Requests go through the .kibana alias
2. The interceptor validates tenant_permissions
3. The request is rewritten to the concrete tenant index
4. A DocumentAllowList is stashed in the thread context for shard-level access
No additional index permissions are needed. The .tasks and .management-beats
entries are a legacy artifact (.tasks is now a system index, .management-beats
is unused by OpenSearch Dashboards).
Changes:
- static_roles.yml: Narrow kibana_user to only .kibana and
.opensearch_dashboards alias permissions
- DashboardMultiTenancyIntTests: Add tests verifying users cannot access
other users concrete tenant indices without the securitytenant header
Signed-off-by: Craig Perkins <cwperx@amazon.com>
Description
Removes
.kibana_*,.opensearch_dashboards_*,.kibana-6,.opensearch_dashboards-6,.tasks, and.management-beatsfrom thekibana_userstatic role'sindex_permissions. This ensures thattenant_permissionsis the sole mechanism controlling tenant access, rather than broad index-level permissions.Background
The
kibana_userrole previously grantedread,index,delete,manageon.kibana_*. This pattern matches every concrete tenant index (e.g.,.kibana_{hash}_{username}), allowing any user with the role to directly access these indices.The Security plugin's
PrivilegesInterceptor(legacy) andDashboardsMultitenancySystemIndexHandler(nextgen) already handle tenant access entirely through:.kibanaalias to the correct concrete tenant indextenant_permissionsfor the requested tenantDocumentAllowListin the thread context to grant access to the concrete index for downstream shard-level operationsNo additional index permissions are needed for the standard Dashboards UI flow, which always sends the
securitytenantheader.The
.tasksentry is redundant (.tasksis now a system index with its own protection), and.management-beatsis not used by OpenSearch Dashboards.Testing
All 468 existing
DashboardMultiTenancyIntTestspass (both legacy and nextgen evaluator paths), confirming that Dashboards operations work correctly withtenant_permissionsalone.New tests added:
mget_concreteIndexWithoutTenantHeader_shouldBeDeniedsearch_concreteIndexWithoutTenantHeader_shouldBeDeniedbulk_concreteIndexWithoutTenantHeader_shouldBeDeniedBreaking change note
Users who rely on direct API access (e.g., curl, Dev Tools) to concrete
.kibana_*tenant indices without thesecuritytenantheader will need to either:securitytenantheader to their requests, or.kibana_*index permissionsThe standard Dashboards UI workflow is unaffected.
Related issues
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.