Cluster-permission indices:data/write/bulk needed for adding data?- implications?

Security
1

Hi,

I am currently setting up an opendistro-cluster and I am trying to control which server may send to which index via filebeat.

I configured filebeat to use an application specific index and set up a logproducer-role for each application.

the role has the following permissions:

  cluster_permissions:
    - "cluster:monitor/main"
  index_permissions:
    -
      index_patterns:
        - "app-{{appname}}-*"
      allowed_actions:
        - "our_logproducer"

action group is defined as

_meta:
  type: "actiongroups"
  config_version: 2

# Action Group for log producing servers
our_logproducer:
  allowed_actions:
    - "indices:data/write/index*"
    - "indices:admin/mapping/put"
    - "indices:admin/create"
    - "indices:admin/exists"
    - "indices:admin/get"
    - "cluster:monitor/main"
    - "indices:data/write/bulk"

This seems not work. Log shipping is possible after I permit “indices:data/write/bulk” as cluster permission.

This is the part I do neither understand nor know which this implies.

So I have two questions:

  1. Does perrmitting “indices:data/write/bulk” on cluster level allow for write on any index?
  2. is there any documentation about the permissions and what exactly they control - I only found a list of built in permission on https://opendistro.github.io/for-elasticsearch-docs/docs/security-access-control/permissions/

Regards Michael

1 Like
2

I faced the same issue. I configured a role using the HTTP API that allows the user to only index and search data. The search part worked fine but the indexing was not working.

It kept throwing the below error. The only way to fix this was to add the indices:data/write/bulk permission to the cluster_permissions. What does this permission mean?

[security_exception] no permissions for [indices:data/write/bulk] and User [name=arn:aws:I am::<account_id>:user/my_user, backend_roles=[], requestedTenant=null]

My request body payload for the PUT /_opendistro/_security/api/roles/search_and_index HTTP API

{
    "cluster_permissions": [
    	"indices:data/write/bulk"
    ],
    "index_permissions": [
        {
            "index_patterns": [
                "*"
            ],
            "dls": "",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": [
                "indices:data/read/explain",
                "indices:data/read/field_caps",
                "indices:data/read/field_caps*",
                "indices:data/read/get",
                "indices:data/read/mget",
                "indices:data/read/mget*",
                "indices:data/read/msearch",
                "indices:data/read/msearch/template",
                "indices:data/read/mtv",
                "indices:data/read/mtv*",
                "indices:data/read/scroll",
                "indices:data/read/scroll/clear",
                "indices:data/read/search",
                "indices:data/read/search*",
                "indices:data/read/search/template",
                "indices:data/read/tv",
                "indices:data/write/bulk",
                "indices:data/write/bulk*",
                "indices:data/write/delete",
                "indices:data/write/delete/byquery",
                "indices:data/write/index",
                "indices:data/write/reindex",
                "indices:data/write/update",
                "indices:data/write/update/byquery"
            ]
        }
    ]
}
3

Hi All,
Cluster indices:data/write/bulk permissions enables you to write to index that you specify in index level permissions. Both permissions are needed for bulk operations.

1 Like
4

I think it is very confusing to require indicies permissions to be added to the Cluster permission, and that cluster_all doesn’t actually have “all” the permissions, just the cluster ones, so cluster_composite_ops or the indices permissions have to be added also.

I filed [FEATURE] Better documentation around Cluster and Index permissions, wrt adding `indices` perms as Cluster perms · Issue #2336 · opensearch-project/security · GitHub to improve the documentation around this.

5

Hi Anthony!
So the indices:data/write/bulk permission has to be added both as a Cluster permission and an Index Level permission?

6

Yes, there are a number of permissions that need to be configured on both levels, Alternatively there are roles like “own_index” that has these permissions added out of the box on cluster level.