Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OS 2.11.1
Edge and Firefox
Describe the issue:
As you can see in the Terraform code, the allowed_actions
for index_permissions is set to “*”. Now, this way the test_user can see the indices with the prefix of index-name
. But now, when I set allowed_actions
to read
or keep it empty, then the test_user can see all indices and not only the indices with the above prefix.
Other than that, no matter the allowed_actions
values - the following logs are always appearing. Something does match. Either the permissions are not working or the logs are falsey. The test_user
is an internal user and not a user from ldap or so. In the following the predefined action group of read
:
read:
reserved: true
hidden: false
static: true
allowed_actions:
- "indices:data/read*"
- "indices:admin/mappings/fields/get*"
- "indices:admin/resolve/index"
type: "index"
description: "Allow all read operations"
Why are these specific permissions not applied to only the indices with the “index-name” prefix?
Moreover, when the test_user
is trying to create an index-pattern on the WEB UI then it is not working also. Why is that?
Configuration:
I use Terraform to configure the permissions:
resource "opensearch_role" "test_role" {
role_name = "test_role"
description = "test role description"
cluster_permissions = ["*"]
index_permissions {
index_patterns = ["index-name*"]
allowed_actions = ["*"]
}
tenant_permissions {
tenant_patterns = ["global_tenant"]
allowed_actions = ["*"]
}
}
resource "opensearch_roles_mapping" "test" {
role_name = "test_role"
description = "Mapping test role to users"
users = ["test_user"]
}
The above return the following OS node logs:
[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No index-level perm match for User [name=test_user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=[]] [Action [indices:admin/data_stream/get]] [RolesChecked [own_index, test_role]]
[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No index-level perm match for User [name=test_user, backend_roles=[], requestedTenant=] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=[]] [Action [indices:monitor/recovery]] [RolesChecked [own_index, test_role]]
[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No permissions for [indices:admin/data_stream/get]
[INFO ][o.o.s.p.PrivilegesEvaluator] [ff51fd381c23] No permissions for [indices:monitor/recovery]
do_not_fail_on_forbidden and do_not_fail_on_forbidden_empty in the config.yaml file are set to true