Despite Read Only Dashboard Role a user can rearrange visualizations on a dashboard

[inf17101]

Describe the bug
If you create a Read Only User according to the documentation (https://opensearch.org/docs/latest/security-plugin/access-control/users-roles/#set-up-a-read-only-user-in-opensearch-dashboards) a user is able to rearrange visualizations on a dashboard and can save the dashboard.

I have used the predefined kibana roles of the roles.yml instead of the renamed roles according to the documentation:
kibana_user
kibana_read_only
custom_role according to documentation plus restriction to specific tenant

To Reproduce
Steps to reproduce the behavior:

1. Create a tenant
2. Create a read only user according to documentation
3. restrict the custom role for the read only user to the tenant
4. Log in and access a dashboard
5. Rearrange some visualizations
6. Click on save

Expected behavior
It would be very nice to have "really" read only role that looks like the following:

1. The user cannot see any edit, create or change buttons.
2. The user cannot rearrange visualizations on dashboards
3. The user can only use a certain time range -> document level security filter causes errors if data outside the time range is inside the cluster
4. In addition: Ability to switch on and off reporting button (if a user should be able to create a report on demand then a reporting button should be shown, if the user should not be able to create reports the button should not be visible to the user.

OpenSearch Version
1.2.2

Dashboards Version
1.2.0

Plugins

Please list all plugins currently enabled.
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• Opensearch and Opensearch Dashboards are running on Linux Ubuntu Server 20.04
• Win10 / Chrome Version 98.0.4758.102

Additional context

It would be nice to have more granular access control with a more adaptive Web UI according to the permissions of RBAC.
You have to imagine that if you want to use Opensearch in production than it is very hard to discuss with "Read Only" Users why they can rearrange the visualizations or can see any edit / create or reporting buttons if they are not allowed to do that.

From a company's point of view it would be very nice to see a full documentation about the process and steps to create a secure "read only" user to make sure , no unneccessary dashboard buttons are available for the user, the user cannot change anything and the user cannot see data from other spaces / indices they are not owning.

[kavilla]

Hello @inf17101, thanks for opening! Re-routing to the security plugin repo.

[peternied]

[Triage] This is a good issue for a first time contribution

[nibix]

See opensearch-project/security#2701 (comment) for an analysis of the kibana_read_only role feature.

[davidlago]

Work to re-think the read only mode is happening in that issue that @nibix points at (opensearch-project/security#2701), closing this one in its favor.