Bug?! - Permissions model not working as expected

hm21 · December 15, 2023, 7:37pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS 2.11.1
Edge and Firefox

Describe the issue:

As you can see in the Terraform code, the allowed_actions for index_permissions is set to “*”. Now, this way the test_user can see the indices with the prefix of index-name. But now, when I set allowed_actions to read or keep it empty, then the test_user can see all indices and not only the indices with the above prefix.
Other than that, no matter the allowed_actions values - the following logs are always appearing. Something does match. Either the permissions are not working or the logs are falsey. The test_useris an internal user and not a user from ldap or so. In the following the predefined action group of read:

read:
  reserved: true
  hidden: false
  static: true
  allowed_actions:
  - "indices:data/read*"
  - "indices:admin/mappings/fields/get*"
  - "indices:admin/resolve/index"
  type: "index"
  description: "Allow all read operations"

Why are these specific permissions not applied to only the indices with the “index-name” prefix?

Moreover, when the test_useris trying to create an index-pattern on the WEB UI then it is not working also. Why is that?

Configuration:

I use Terraform to configure the permissions:

resource "opensearch_role" "test_role" {
  role_name   = "test_role"
  description = "test role description"
 
  cluster_permissions = ["*"]
 
  index_permissions {
    index_patterns = ["index-name*"]
    allowed_actions = ["*"]
  }
 
  tenant_permissions {
    tenant_patterns = ["global_tenant"]
    allowed_actions = ["*"]
  }
}

resource "opensearch_roles_mapping" "test" {
  role_name   = "test_role"
  description = "Mapping test role to users"
  users       = ["test_user"]
}

The above return the following OS node logs:

[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No index-level perm match for User [name=test_user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=[]] [Action [indices:admin/data_stream/get]] [RolesChecked [own_index, test_role]]

[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No index-level perm match for User [name=test_user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=[]] [Action [indices:monitor/recovery]] [RolesChecked [own_index, test_role]]

[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No permissions for [indices:admin/data_stream/get]

[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No permissions for [indices:monitor/recovery]

do_not_fail_on_forbidden and do_not_fail_on_forbidden_empty in the config.yaml file are set to true

hm21 · December 17, 2023, 12:12pm

does anybody know what the problem is?

Topic		Replies	Views
Role applied when login with openId doesn't give permission to specified index Security troubleshoot	2	327	July 27, 2023
No permissions on indices:data/read/search template when the permission is attached in the role Security	10	7905	September 19, 2023
Restrict access exclusively to 1 index Security discuss , configure	4	829	September 20, 2022
Permission errors on indices:data/read/search[can_match] Security	2	388	October 20, 2022
No permissions for [indices:admin/mapping/put] Security troubleshoot	1	601	July 22, 2022

Bug?! - Permissions model not working as expected

Related Topics