Cannot override static roles

Security
1

Versions: Opensearch 3.2.0 (via docker)

Describe the issue: I want to create a distigushed user for logstash, but during pushing the config via securityadmin.sh, I get the error “Cannot override static roles”.

Configuration:
config.yml

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Common settings for authentication, authz is for autorization!
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern

internal_users.yml

---
_meta:
  type: "internalusers"
  config_version: 2  
  
admin:
  reserved: true
  hidden: false
  hash: "$2y$12$cFXsSqRE6o<reducted>n6H7ljqYwbqqpHNYUjaP/GK"
  backend_roles:
    - admin
  static: false

logstash:
  reserved: false
  hidden: false
  hash: "$2y$12$6I5hLtlXkzDd<reducted>a468x1n/UKHVuC/AozEL/e" 
  static: false

dashboards:
  hash: "$2y$12$d/FzCOdAMa<reducted>DyA0BqK1PRYjW4ovO"

roles.yml

_meta:
  type: "roles"
  config_version: 2

dashboard:
  cluster_permissions:
    - 'cluster:admin/*'
    - 'cluster_monitor'
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - 'indices_all'
        - 'indices:admin/*'
        - 'indices:internal/*'
  tenant_permissions:
  - tenant_patterns:
    - "*"
    allowed_actions:
    - "kibana_all_write"

logstash:
  reserved: false
  hidden: false
  description: "Provide the minimum permissions for logstash and beats"
  cluster_permissions:
    - cluster_monitor
    - cluster_composite_ops
    - indices:admin/template/get
    - indices:admin/template/put
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  index_permissions:
    - index_patterns:
        - 'logstash-*'
        - 'firewall-*'
        - 'syslog-*'
      allowed_actions:
        - crud
        - create_index

read_all:
  cluster_permissions:
    - cluster_composite_ops_ro
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - read

roles_mapping.yml

---
# In this file users, backendroles and hosts can be mapped to Security roles.
# Permissions for OpenSearch roles are configured in roles.yml

_meta:
  type: "rolesmapping"
  config_version: 2

# Define your roles mapping here
all_access:
  reserved: false
  users:
  - 'admin'
  description: "Maps admin to all_access"

own_index:
  reserved: false
  users:
  - "*"
  description: "Allow full access to an index named like the username"

logstash:
  reserved: false
  users:
  - 'logstash'

dashboard:
  reserved: false
  users:
  - "dashboards"
  description: "Put dashboards into dashboard"

readall:
  reserved: false
  backend_roles:
  - "readall"

manage_snapshots:
  reserved: false
  backend_roles:
  - "snapshotrestore"

kibana_server:
  reserved: true
  users:
  - "kibanaserver"

Relevant Logs or Screenshots:

Here is my try to apply the configs:

[opensearch@be6f844376c9 ~]$ /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh   -cd /usr/share/opensearch/plugins/opensearch-security/securityconfig   -icl   -key /usr/share/opensearch/config/certs/admin.key   -cert /usr/share/opensearch/config/certs/admin.crt   -cacert /usr/share/opensearch/config/certs/ca.crt   -nhnv
Security Admin v7
Will connect to localhost:9200 ... done
Connected as "<doesn'tmatter>"
OpenSearch Version: 3.2.0
Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...
Clustername: opensearch-cluster
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 3
.opendistro_security index does not exists, attempt to create it ... done (0-all replicas)
Populate config from /usr/share/opensearch/plugins/opensearch-security/securityconfig/
Will update '/config' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/config.yml
   SUCC: Configuration for 'config' created or updated
Will update '/roles' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/roles.yml
   SUCC: Configuration for 'roles' created or updated
Will update '/rolesmapping' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/roles_mapping.yml
   SUCC: Configuration for 'rolesmapping' created or updated
Will update '/internalusers' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml
   SUCC: Configuration for 'internalusers' created or updated
Will update '/actiongroups' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/action_groups.yml
   SUCC: Configuration for 'actiongroups' created or updated
Will update '/tenants' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/tenants.yml
   SUCC: Configuration for 'tenants' created or updated
Will update '/nodesdn' with /usr/share/opensearch/plugins/opensearch-security/securityconfig/nodes_dn.yml
   SUCC: Configuration for 'nodesdn' created or updated
FAIL: 3 nodes reported failures. Failure is {"_nodes":{"total":3,"successful":0,"failed":3,"failures":[{"type":"failed_node_exception","reason":"Failed node [5LkzfoQvQOqhETrTclE0iA]","node_id":"5LkzfoQvQOqhETrTclE0iA","caused_by":{"type":"static_resource_exception","reason":"Cannot override static roles"}},{"type":"failed_node_exception","reason":"Failed node [pf7oj-DRQWiBAgUEMn1Beg]","node_id":"pf7oj-DRQWiBAgUEMn1Beg","caused_by":{"type":"static_resource_exception","reason":"static_resource_exception: Cannot override static roles"}},{"type":"failed_node_exception","reason":"Failed node [UKLN4PZ6SNCCIMasrLlq9w]","node_id":"UKLN4PZ6SNCCIMasrLlq9w","caused_by":{"type":"static_resource_exception","reason":"static_resource_exception: Cannot override static roles"}}]},"cluster_name":"opensearch-cluster","configupdate_response":{"nodes":{},"node_size":0,"has_failures":true,"failures_size":3}}/{"_nodes":{"total":3,"successful":0,"failed":3,"failures":[{"type":"failed_node_exception","reason":"Failed node [5LkzfoQvQOqhETrTclE0iA]","node_id":"5LkzfoQvQOqhETrTclE0iA","caused_by":{"type":"static_resource_exception","reason":"Cannot override static roles"}},{"type":"failed_node_exception","reason":"Failed node [pf7oj-DRQWiBAgUEMn1Beg]","node_id":"pf7oj-DRQWiBAgUEMn1Beg","caused_by":{"type":"static_resource_exception","reason":"static_resource_exception: Cannot override static roles"}},{"type":"failed_node_exception","reason":"Failed node [UKLN4PZ6SNCCIMasrLlq9w]","node_id":"UKLN4PZ6SNCCIMasrLlq9w","caused_by":{"type":"static_resource_exception","reason":"static_resource_exception: Cannot override static roles"}}]},"cluster_name":"opensearch-cluster","configupdate_response":{"nodes":{},"node_size":0,"has_failures":true,"failures_size":3}}
FAIL: Expected 3 nodes to return response, but got 0
Done with failures

My problems are:

  • handling with roles and backend roles is currently try’n’error —> I changed to much since the last running config
  • I do not get the failing/faulty role from the generic error message

What is my mistake?

2

@dennis_u The logstash is a built in role, and therefore you will not be able to change it. You can easily create the same role, but name it logstash_updated or similar. And map the users to that role instead. Hope this helps

3

@Anthony Thank you very much for this hint.

I created an separate role for logstash and it works:

#internal_users
logstash:
  reserved: false
  hidden: false
  hash: "$2y$12$ZGMrwQfx.<reducted>"
  static: false

#roles.yml
logstash_extra:
  reserved: false
  hidden: false
  description: "Provide the minimum permissions for logstash and beats"
  cluster_permissions:
    - cluster_monitor
    - cluster_composite_ops
    - indices:admin/template/get
    - indices:admin/template/put
    - cluster:admin/ingest/pipeline/put
    - cluster:admin/ingest/pipeline/get
  index_permissions:
    # add more here, if needed
    - index_patterns:
        - 'logstash-*'
        - 'firewall-*'
        - 'syslog-*'
      allowed_actions:
        - crud
        - create_index

#roles_mapping.yml
logstash_extra:
  reserved: false
  users:
  - 'logstash'

Thanks.

Another small question: do you have a hint for, why I do not see the menu entry Management > Security, even though I have an admin account?

1 Like
4

@dennis_u in order to be able to see the security tab in OSD, you need to add the role in question to the below configuration in opensearch.yml

plugins.security.restapi.roles_enabled: ["all_access", <custom_role>]
1 Like