I have opensearch running and keycloak as oidc provider and I get this 403 error after login to opensearch:
{"statusCode":403,"error":"Forbidden","message":"no permissions for [indices:data/read/search] and User [name=demo.demo, backend_roles=[kibana_second], requestedTenant=null]: security_exception"}
As default we have "kibana_user" role which has "kibanauser" as backend role. If my oidc user "demo.demo" has "kibanauser" role attached to it, everything works fine and this user has permission to see dashboards, discover and index patterns.
User [name=demo.demo, backend_roles=[kibanauser]..]
But this role is dangerous to assign to every user because the user can delete an index pattern or change the global setting. I want to have the a role only to view dashboard and discover. At the first step, also i duplicated "kibana_user" role with the new name "kibana_user_copy" and mapped it to the new backend role created by me "kibana_second". The backend role was also attached it to my user in oidc provider. Means:
User [name=demo.demo, backend_roles=[kibana_second]..]
So far good, now as you see the error, my "demo.demo" user has new backend role and it has all permissions that "kibana_user" would have. (because "kibana_user_copy" is a duplicate of "kibana_user". What I'm wondering, all permissions are the same, only backend role is not predefined "kibanauser". But It doesn't work and I see only blank pages for dashboard and discover (403).
Has anyone an idea, what is missing here?
Thanks in advance
Issue was solved by adding tenancy to this duplicated role