Define security roles for aliases

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: v2.16.0

Describe the issue:
I’ve created an index, with multiple aliases (aliases created with filter) related. Then I’ve define a role for each alias

Noticed that any user have one of these roles created can access the whole index and all other aliases. While it should be restricted to the alias related only

Configuration:

  1. Create an index template with multiple aliases like below
{
  "index_patterns": [
    "messages-*"
  ],
  "template": {
    "aliases": {
      "all-messages": {},
      "messages-us": {
        "filter": {
          "term": {
            "country": "US"
          }
        }
      },
      "messages-uk": {
        "filter": {
          "term": {
            "country": "UK"
          }
        }
      },
      "messages-fr": {
        "filter": {
          "term": {
            "country": "FR"
          }
        }
      },
    }
.................
  1. Create a role for each alias, example of one of those roles like:
"messages_us_index_role": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "indices:data/read/scroll"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          "messages-us"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
  1. Create a user that own one of aliases roles (for example us_user own the role messages_us_index_role)
  2. Try to search over messages-uk alias using us_user

Expected:
Return 403

Actual:
Return 200 and all data without any issues

Hint:
Noticed the following logs when I’ve change the opensearch logging level of org.opensearch.security package to debug

[2024-08-12T09:15:13,583][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Rest user 'User [name=user-us, backend_roles=[messages-us], requestedTenant=null]' is authenticated
[2024-08-12T09:15:13,583][DEBUG][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] securitytenant 'null'
[2024-08-12T09:15:13,584][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-cluster-master-0] Evaluate permissions for User [name=api.uae.user, backend_roles=[sac-messages-ae-index], requestedTenant=null] on opensearch-cluster-master-0
[2024-08-12T09:15:13,584][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-cluster-master-0] Action: indices:data/read/search (SearchRequest)
[2024-08-12T09:15:13,584][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-cluster-master-0] Mapped roles: [messages_us_index_role]
[2024-08-12T09:15:13,584][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-cluster-master-0] Resolve aliases, indices and types from SearchRequest
[2024-08-12T09:15:13,584][DEBUG][o.o.s.r.IndexResolverReplacer] [opensearch-cluster-master-0] Resolved pattern [messages-us] to indices: [messages-2024] and data-streams: []
[2024-08-12T09:15:13,585][DEBUG][o.o.s.p.PrivilegesEvaluator] [opensearch-cluster-master-0] RequestedResolved : Resolved [aliases=[messages-us], allIndices=[messages-2024], types=[*], originalRequested=[messages-us], remoteIndices=[]]
2

@ahmadabulaban1993 As far as I’m aware OpenSearch doesn’t provide granular permission per alias.