Error log: “no permissions for [cluster:monitor/main]” – The dashboards lockout

Error Log: A user logs into OpenSearch Dashboards, but instead of seeing the UI, they get a full-screen error or a popup that says:

None
JSON

{

  "error": {

    "root_cause": [

      {

        "type": "security_exception",

        "reason": "no permissions for [cluster:monitor/main] and User [name=new_user, roles=[], ...]"

      }

    ],

    "type": "security_exception",

    "reason": "no permissions for [cluster:monitor/main] and User [name=new_user, roles=[], ...]"

  },

  "status": 403

}

Why… is this happening? This is a very common Security plugin authorization error. The user (new_user in this case) was able to authenticate (log in), but they lack the bare minimum permissions required to use OpenSearch Dashboards.

To even load the main page, Dashboards needs to make several API calls to OpenSearch, such as cluster:monitor/main (to check cluster health/info) and others, to get version information and load saved objects.

This error means the user’s mapped roles do not grant any of these basic permissions. They are an authenticated user with zero privileges.

Best Practice:

1. Assign a Default Role: Every user who needs to log in to Dashboards should be mapped to at least one role that gives them basic access. The Security plugin comes with built-in, read-only roles that are perfect for this.
2. Use Built-in Roles:
   • opensearch_dashboards_user: This is the exact role designed for this purpose. It grants the minimum set of permissions needed to use Dashboards and read from the .opensearch_dashboards saved object index.
   • readall: This is a broader read-only role.
3. Fix Your Role Mappings:
   • Go to Dashboards > Security > Role Mappings.
   • Find the role mapping for your user (e.g., if they are in an ldap_users backend role, edit that mapping).
   • Add opensearch_dashboards_user to the list of mapped “Roles”.
   • (If using roles_mapping.yml, add it there and run securityadmin.sh).
4. Create a Custom Role (Advanced): You can create your own “base” role, but you must ensure it has cluster:monitor/main, cluster:admin/opensearch/version, and read/write permissions for the .opensearch_dashboards* indices. It’s much easier to use the built-in opensearch_dashboards_user role.

What else can I do? Confused about the difference between backend_roles and roles? Security roles and mappings are a complex topic. Ask the OpenSearch community for examples, or contact us for help designing your user permissions in The OpenSearch Slack Channel in #General.