Add read-only role page to documents #5783 #6806
Conversation
Signed-off-by: AntonEliatra <[email protected]>
AntonEliatra
requested review from
hdhalter,
kolchfa-aws,
Naarcha-AWS,
vagimeli,
AMoo-Miki,
natebower,
dlvenable and
stephen-crawford
as code owners
|
Thanks, @AntonEliatra! I like the use of screen shots here. Can you please address the Vale errors? @scrawfor99 - Can you please review for technical accuracy? We'll need to address the duplicate information here: https://opensearch.org/docs/latest/security/access-control/users-roles/#set-up-a-read-only-user-in-opensearch-dashboards. Also, I don't see that role name in the table, only kibana_read_only: https://opensearch.org/docs/latest/security/access-control/users-roles/#predefined-roles. |
hdhalter
added
2 - In progress
Signed-off-by: AntonEliatra <[email protected]>
|
@hdhalter the vale errors are fixed. Regarding the information on https://opensearch.org/docs/latest/security/access-control/users-roles/#set-up-a-read-only-user-in-opensearch-dashboards. Using v2.12.0 I don't see those two roles in the UI (opensearch_dashboards_user and opensearch_dashboards_read_only) and unable to use them via API |
|
|
||
| ## Basic read only role | ||
|
|
||
| If you are looking to create a role to access OpenSearch Dashboards, view existing dashboards/visualizations and query different indexes, assuming you want the user to have read access to all indexes and tenants, you can add cluster permission group of `cluster_composite_ops_ro`, `read` access to all indexes (`*`) and `read` access to all tenants |
There was a problem hiding this comment.
Not sure if we should use "indices." Ask @Naarcha-AWS
|
|
||
| ## Basic read only role | ||
|
|
||
| If you are looking to create a role to access OpenSearch Dashboards, view existing dashboards/visualizations and query different indexes, assuming you want the user to have read access to all indexes and tenants, you can add cluster permission group of `cluster_composite_ops_ro`, `read` access to all indexes (`*`) and `read` access to all tenants |
There was a problem hiding this comment.
I would consider explaining each of these. Without knowing the background it is not super obvious what cluster_composite_ops_ro is for. Likewise it may not be obvious why you restate the permissions at different levels so you may want to clarify this.
There was a problem hiding this comment.
@scrawfor99 good point, I've expanded on this, let me know if below is better:
Basic read only role
If you are looking to create a role to access OpenSearch Dashboards, view existing dashboards/visualizations and query different indexes, assuming you want the user to have read access to all indexes and tenants, you can use the following permissions.
Cluster permission
Cluster permission is needed to access cluster wide resources like visualizations and dashboards. For read only user you add already created cluster_composite_ops_ro permission.
Indexes permission
In order to view visualizations, user needs to have access to the index that was used to create it, In this can you can add read permission to all (*) indexes.
Tenant permissions
If you are using tenants to separate work area between different teams/projects, visualizations and dashboards are saved in specific tenant. To be able to view these the user needs read access to the correct tenant. To keep things more straightforward we are giving user access to all (*) tenants.
Co-authored-by: Stephen Crawford <[email protected]> Signed-off-by: AntonEliatra <[email protected]>
Co-authored-by: Stephen Crawford <[email protected]> Signed-off-by: AntonEliatra <[email protected]>
…t#5783 Signed-off-by: AntonEliatra <[email protected]>
Naarcha-AWS
added
4 - Doc review
Signed-off-by: AntonEliatra <[email protected]>
Signed-off-by: AntonEliatra <[email protected]>
Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: AntonEliatra <[email protected]>
hdhalter
added
5 - Editorial review
|
Thanks, al! I sent it for editorial review. |
There was a problem hiding this comment.
@AntonEliatra @hdhalter Please see my comments and changes and let me know if you have any questions. Thanks!
|
|
||
| You can now assign your certificate's common name (CN) to a role. For this step, you must know your certificate's CN and the role you want to assign to. To get a list of all predefined roles in OpenSearch, refer to our [list of predefined roles]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#predefined-roles). If you want to first create a role, refer to [how to create a role]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#create-users), and then map your certificate's CN to that role. | ||
| You can now assign your certificate's common name (CN) to a role. This step requires you to identify the certificate's CN and the role you want to assign it to. To view a list of all predefined roles in OpenSearch, see [Predefined roles]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#predefined-roles). To get started, first [define a role]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#defining-roles) and then map your certificate's CN to that role. |
There was a problem hiding this comment.
"predefined OpenSearch roles" instead of "predefined roles in OpenSearch"?
_security/configuration/yaml.md
Outdated
| @@ -165,7 +165,7 @@ plugins.security.restapi.password_validation_error_message: "Password must be mi | |||
|
|
|||
| In addition, a score-based password strength estimator allows you to set a threshold for password strength when creating a new internal user or updating a user's password. This feature makes use of the [zxcvbn library](https://github.com/dropbox/zxcvbn) to apply a policy that emphasizes a password's complexity rather than its capacity to meet traditional criteria such as uppercase keys, numerals, and special characters. | |||
|
|
|||
| For information about creating users, see [Create users]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#create-users). | |||
| For information about creating users, see [Defining users]({{site.url}}{{site.baseurl}}/security/access-control/users-roles/#defining-users). | |||
There was a problem hiding this comment.
I'm assuming that this change is correct, but should it then read "about defining users"? It's a bit of a non sequitur now as written.
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Editorial fixes. Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]>
Editorial fix Signed-off-by: Heather Halter <[email protected]>
There was a problem hiding this comment.
@AntonEliatra - I've addressed all of Nathan's feedback except two items, where we need to introduce the images. Can you please address those comments and also accept my two comments? Thanks so much!
Co-authored-by: Heather Halter <[email protected]> Signed-off-by: AntonEliatra <[email protected]>
Signed-off-by: AntonEliatra <[email protected]>
|
@hdhalter thats added now |
Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: AntonEliatra <[email protected]>
|
Hi @natebower I'm a little confused regarding |
@AntonEliatra Yes: Use a colon to introduce example blocks (for example, code and scripts) and most lists. Do not use a colon to introduce tables or images. See here. Thanks! |
|
This looks good to me! @natebower - are you good with it? |
* adding read-only role page to documents #5783 Signed-off-by: AntonEliatra <[email protected]> * fixing vale errors on read-only page #5783 Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/read-only-role.md Co-authored-by: Stephen Crawford <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/read-only-role.md Co-authored-by: Stephen Crawford <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * applying the suggested fixed to read only mode page #5783 Signed-off-by: AntonEliatra <[email protected]> * adding section on restapi roles to readonly_mode #5783 Signed-off-by: AntonEliatra <[email protected]> * adding section on restapi roles to readonly_mode #5783 Signed-off-by: AntonEliatra <[email protected]> * Apply suggestions from code review Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * moving read only role content into Users and Roles page#5783 Signed-off-by: AntonEliatra <[email protected]> * moving read only role content into Users and Roles page#5783 Signed-off-by: AntonEliatra <[email protected]> * moving read only role content into Users and Roles page#5783 Signed-off-by: AntonEliatra <[email protected]> * moving read only role content into Users and Roles page#5783 Signed-off-by: AntonEliatra <[email protected]> * moving read only role content into Users and Roles page#5783 Signed-off-by: AntonEliatra <[email protected]> * Update users-roles.md Made some info architecture changes to topic Signed-off-by: Heather Halter <[email protected]> * Update users-roles.md Tweaked the wording in the 'example' section Signed-off-by: Heather Halter <[email protected]> * Update users-roles.md Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * Update users-roles.md Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Naarcha-AWS <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/users-roles.md Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Signed-off-by: Heather Halter <[email protected]> * fixing broken links #5783 Signed-off-by: AntonEliatra <[email protected]> * removing duplicate details from user-role page #5783 Signed-off-by: AntonEliatra <[email protected]> * Apply suggestions from code review Co-authored-by: Heather Halter <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * Update users-roles.md Added link to https://opensearch.org/docs/latest/security/authentication-backends/ldap/ Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Apply suggestions from code review Co-authored-by: Melissa Vagi <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update _security/access-control/users-roles.md Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Apply suggestions from code review Editorial fixes. Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: Heather Halter <[email protected]> * Update users-roles.md Editorial fix Signed-off-by: Heather Halter <[email protected]> * Apply suggestions from code review Co-authored-by: Heather Halter <[email protected]> Signed-off-by: AntonEliatra <[email protected]> * adding reference to images #5783 Signed-off-by: AntonEliatra <[email protected]> * Apply suggestions from code review Co-authored-by: Nathan Bower <[email protected]> Signed-off-by: AntonEliatra <[email protected]> --------- Signed-off-by: AntonEliatra <[email protected]> Signed-off-by: Heather Halter <[email protected]> Co-authored-by: Stephen Crawford <[email protected]> Co-authored-by: Naarcha-AWS <[email protected]> Co-authored-by: Heather Halter <[email protected]> Co-authored-by: Melissa Vagi <[email protected]> Co-authored-by: Nathan Bower <[email protected]> (cherry picked from commit 5f98cb8) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
Adding read only role page to documentation, covering read only access to OpenSearch Dashboards objects and readonly_mode. Using UI screenshot to demonstrate the process
Issues Resolved
Closes #5783
Closes #4947
Checklist
For more information on following Developer Certificate of Origin and signing off your commits, please check here.