[BUG] Roles inconsistency

[n9]

What is the bug?
The current documentation says:

roles.yml
This file contains any initial roles that you want to add to the Security plugin. Aside from some metadata, the default file is empty, because the Security plugin has a number of static roles that it adds automatically.

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Read the current documentation to see the text above.
2. Open /usr/share/opensearch/config/opensearch-security/roles.yml from the opensearch image and see that the file contains roles.

What is the expected behavior?
Either the file should be empty or the documentation should not say that.

What is your host/environment?

• OS: N/A
• Version 2.16
• Plugins: Security

Do you have any screenshots?
Not needed.

Do you have any additional context?

because the Security plugin has a number of static roles that it adds automatically

Is this still true? Where I can find it in the source code?

[n9]

I have found the static roles in the source code: https://github.com/opensearch-project/security/blob/2.16.0.0/src/main/resources/static_config/static_roles.yml

There is for example: kibana_user with description Provide the minimum permissions for a kibana user:

security/src/main/resources/static_config/static_roles.yml

Lines 24 to 51 in 3076016

	kibana_user:
	reserved: true
	hidden: false
	static: true
	description: "Provide the minimum permissions for a kibana user"
	cluster_permissions:
	- "cluster_composite_ops"
	index_permissions:
	- index_patterns:
	- ".kibana"
	- ".kibana-6"
	- ".kibana_*"
	- ".opensearch_dashboards"
	- ".opensearch_dashboards-6"
	- ".opensearch_dashboards_*"
	allowed_actions:
	- "read"
	- "delete"
	- "manage"
	- "index"
	- index_patterns:
	- ".tasks"
	- ".management-beats"
	- "*:.tasks"
	- "*:.management-beats"
	allowed_actions:
	- "indices_all"

In roles.yml there is a similar role kibana_read_only with comment: Restrict users so they can only view visualization and dashboard on OpenSearchDashboards, but empty content:

security/config/roles.yml

Lines 5 to 8 in 3076016

	# Restrict users so they can only view visualization and dashboard on OpenSearchDashboards
	kibana_read_only:
	reserved: true

Why these two have "so" different content?

[cwperks]

[Triage] @n9 kibana_read_only is a special role w/o permissions. It get's functionality through a setting in opensearch_dashboards.yml:

 opensearch_security.readonly_mode.roles: [kibana_read_only]

A user mapped to this role can view saved objects, but cannot save saved objects. Saved objects is a generic term for items such as:

• index patterns
• visualizations
• dashboards
• etc.

Closing this issue. Please let me know if you need any further information.

For general questions I would also recommend posting on the OpenSearch forum: https://forum.opensearch.org/c/security/3

[n9]

@cwperks What about the bug that the default roles file is not empty? (But according to the documentation it should be.)

[cwperks]

@n9 You're right, that should be changed. The roles.yml file contains default roles that grant functionality to plugins that are shipped in the default distributions. The documentation-website should be updated to reflect that.

[cwperks]

@n9 Opened a documentation PR here: opensearch-project/documentation-website#8334

[n9]

The roles.yml file contains default roles that grant functionality to plugins that are shipped in the default distributions.

@cwperks But why kibana_user is static, but kibana_read_only is default?

[cwperks]

I can't really tell based on the history: #96

There is some overlap between the meanings of "reserved" and "static" and if I had to guess, it was added to config/roles.yml at first and never changed.

This comment goes into the difference between static and reserved: #4387 (comment)