Add documentation to rename opensearch_dashboards predefined roles to kibana

[cwillum]

Description

Somehow the predefined roles for providing permissions for all functionality in Dashboards and read-only permissions became named openesarch_dashboards_user and opensearch_dashboards_read_only while in the code they remain kibana_user and kibana_read_only. Need to name them properly to agree with the code.

Issues Resolved

renamed these roles kibana_user and kibana_read_only in the Predefined roles table in Users and Roles documentation.

Fixes #2723.

Checklist

• By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and subject to the Developers Certificate of Origin.
  For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[cwillum]

@opensearch-project/opensearch-dashboards-core It looks like the role naming issue began in #3391. This PR renames the roles so they agree with the predefined roles in Security code.
But in the documentation's definition for what is now the kibana_read_only role, it says, "A special role that prevents users from making changes to visualizations, dashboards, and other OpenSearch Dashboards objects." And then, "See opensearch_security.readonly_mode.roles in opensearch_dashboards.yml." We don't have a reference in documentation that shows the opensearch_dashboards.yml file with all of its properties/settings defined, which a user could look at to find out more about this.
What is the relationship between the kibana_read_only role and the opensearch_security.readonly_mode.roles setting that you add to opensearch_dashboards.yml? Are there dependencies? Do they do different things? Is there a file in the OSD repo that defines this setting? Thanks.

[joshuarrrr]

Just wanted to mention that the source file for opensearch_dashboards.yml actually does have example settings and values, all commented out: https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml

The problem is that it only lists configuration settings that are present in the core dashboards application, so doesn't include config settings defined by other plugins (such as the security-dashboards plugin, in this case).

[cwillum]

@joshuarrrr Thanks for the clarification. It looks like this is a question for security dashboards.
@opensearch-project/security Does anyone have information on this opensearch_security.readonly_mode.roles setting that you add in the opensearch_dashboards.yml? I'm hoping to clarify information in the kibana_read_only role definition in docs: Predefined roles. (It's still called opensearch_dashboards_read_only here).

[DarshitChanpura]

There names in security plugin are still kibana_read_only and kibana_user instead of opensearch_dashboards_read_only and opensearch_dashboards_user.
Renaming these to opensearch_dashboards_* is a significant and a breaking change. @opensearch-project/security Should we go ahead and make a PR to rename these?

To answer your question @cwillum, opensearch_security.readonly_mode.roles setting marks the roles passed in it as read only. The roles added here are read by security plugin via this piece of code: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/public/plugin.ts#L88-L94.

[cwillum]

@DarshitChanpura Thanks for the reply, and for finding the code associated with the setting. But I'm still not straight on this opensearch_security.readonly_mode.roles setting. If it marks all roles as ready-only when it passes them through, what is the purpose of having a kibana_read_only role? It sounds like the setting and the role do the same thing. Do you use them together? Or are they used separately?
The description for the role in documentation and the mention of this setting is confusing. It tells readers to "See" the opensearch_dashboards.yml file about the setting. But that leads to a dead end. There's no explanation about when and where you use the setting, or whether it's used with the role or if it's simply another "read-only" option.

[DarshitChanpura]

@cwillum I agree that the setting is a little confusing. I will try to explain it in as simply as I can:

opensearch_security.readonly_mode.roles setting is used to activate the read-only mode. Roles that are defined as dashboards "read-only" should be added to this setting for them to be effective.

So in this case, if a user is assigned opensearch_dashboards_read_only role but this role has not been added to opensearch_security.readonly_mode.roles setting then it won't work.
For dashboards read-only mode to work for a user, they need to be assigned a read-only role and that role must be present in the opensearch_security.readonly_mode.roles setting in opensearch_dashboards.yml?

Hope this adds some clarification to answer your question

[cwillum]

@DarshitChanpura That's a great explanation and super helpful. I wouldn't have known. Do you know if multiple roles are listed as an array, separated by a comma?
By the way, I've reworded the description for this role.

[DarshitChanpura]

Do you know if multiple roles are listed as an array, separated by a comma?

That is correct.

[cwillum]

Waiting on availability for doc team review.