Copy of a role doesn't work

Security
1

I just made a clean opensearch installation and wanna grant permissions to logstash user for creating indices with specific prefix (default logstash-* for examples below). I took a built-in logstash role as a basis. Here is example, it works as expected:

# curl -s -X PUT -k -u 'logstash:321654' https://10.10.1.2:9200/logstash-logstash | jq
{
  "acknowledged": true,
  "shards_acknowledged": true,
  "index": "logstash-logstash"
}

Then i have copied logstash role using Opensearch Dasbords UI to logstash_copy and replaced previously assigned logstash role to created one in logstash user config. Now it doesn’t work.

# curl -s -X PUT -k -u 'logstash:321654' https://10.10.1.2:9200/logstash-copy | jq
{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "no permissions for [indices:admin/create] and User [name=logstash, backend_roles=[logstash_copy], requestedTenant=null]"
      }
    ],
    "type": "security_exception",
    "reason": "no permissions for [indices:admin/create] and User [name=logstash, backend_roles=[logstash_copy], requestedTenant=null]"
  },
  "status": 403
}

It dies due to “no permissions for [indices:admin/create]” but it is absent also in built-in logstash role that is working fine. Here are both roles configs.
built-in:

# curl -s -X GET -k -u 'admin:321654' https://10.10.1.2:9200/_plugins/_security/api/roles/logstash | jq
{
  "logstash": {
    "reserved": true,
    "hidden": false,
    "description": "Provide the minimum permissions for logstash and beats",
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops",
      "indices:admin/template/get",
      "indices:admin/template/put",
      "cluster:admin/ingest/pipeline/put",
      "cluster:admin/ingest/pipeline/get"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "logstash-*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      },
      {
        "index_patterns": [
          "*beat*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": true
  }
}

copy:

# curl -s -X GET -k -u 'admin:321654' https://10.10.1.2:9200/_plugins/_security/api/roles/logstash_copy | jq
{
  "logstash_copy": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster_monitor",
      "cluster_composite_ops",
      "indices:admin/template/get",
      "indices:admin/template/put",
      "cluster:admin/ingest/pipeline/put",
      "cluster:admin/ingest/pipeline/get"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "logstash-*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      },
      {
        "index_patterns": [
          "*beat*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud",
          "create_index"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

Why the copy of the role doesn’t work?

2

@e.shutov I can’t seem to reproduce your issue.

Can you run the below query to check if the new role is correctly mapped?

curl --insecure -ulogstash:321654 -XGET “https://10.10.1.2:9200/_opendistro/_security/authinfo?pretty

Does the newly created “logstash_copy” role appear under roles section?
If so, which version of opensearch are you running?

3

You are totally right. You pointed directly onto the issue.
This was an error with roles binding due to my missunderstanting the fact: “backend_role” is not the same than “role”.
Above i assigned the role “logstash_copy” as “Backend role” in Opensearch Dashboard UI: Security → Internal users → Edit → Backend roles
(cause by default there is mapping with “logstash” here, and for such unadvanced users like me it looks like: the place where i have to put my roles)
And got this, “logstash_copy” is not assigned:

[root@void-mag tls]# curl -s -X GET -k -u 'logstash:321654' 'https://10.10.1.2:9200/_opendistro/_security/authinfo?pretty'
{
  "user" : "User [name=logstash, backend_roles=[logstash_copy], requestedTenant=null]",
  "user_name" : "logstash",
  "user_requested_tenant" : null,
  "remote_address" : "10.10.1.1:48068",
  "backend_roles" : [
    "logstash_copy"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "logstash" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

With default “logstash” as backend_role (by default) it was assigned:

# curl -s -X GET -k -u 'logstash:321654' 'https://10.10.1.2:9200/_opendistro/_security/authinfo?pretty'
{
  "user" : "User [name=logstash, backend_roles=[logstash], requestedTenant=null]",
  "user_name" : "logstash",
  "user_requested_tenant" : null,
  "remote_address" : "10.10.1.1:48066",
  "backend_roles" : [
    "logstash"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "logstash",
    "own_index"
  ],
  "tenants" : {
    "logstash" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Probably because backend_role “logstash” exists in default (demo) configuration and points onto “logstash” role.
It was finally fixed by assigning user “logstash” to role “logstash_copy” via Opensearch Dashboard UI: Security → Roles → Edit → Mapped users.
After that i get this correct mapping and get my permissions working.

# curl -s -X GET -k -u 'logstash:321654' 'https://10.10.1.2:9200/_opendistro/_security/authinfo?pretty'
{
  "user" : "User [name=logstash, backend_roles=[], requestedTenant=null]",
  "user_name" : "logstash",
  "user_requested_tenant" : null,
  "remote_address" : "10.10.1.1:48078",
  "backend_roles" : [
    ""
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "logstash_copy",
    "own_index"
  ],
  "tenants" : {
    "logstash" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Thank you, Anthony!