Grant to a role all permissions to all indexes except for some indexes

Versions:
OpenSearch: 2.18.0

Describe the issue:
I want to grant to a role all permissions to all indexes except for some indexes, for example, which satisfying sensitive* pattern

Configuration:
I used index_patterns value like the one allowed at snapshot indices field, but it doesn’t work:

my_role:
index_permissions:
- index_patterns:
- "*,-sensitive*"
allowed_actions:
- "*"

Hi @SlavaUtesinov ,

try something like
my_role:
index_permissions:

• index_patterns:
• “*"
  excluded_index_patterns:
• "sensitive*”
  allowed_actions:
• “*”

Leeroy.

Hi, @Leeroy, unfortunately, I got an error:
{
“error”: {
“root_cause”: [
{
“type”: “unrecognized_property_exception”,
“reason”: “Unrecognized field "excluded_index_patterns" (class org.opensearch.security.securityconf.impl.v7.RoleV7$Index), not marked as ignorable (5 known properties: "index_patterns", "dls", "fls", "allowed_actions", "masked_fields"])\n at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.opensearch.security.securityconf.impl.v7.RoleV7["index_permissions"]->java.util.ArrayList[0]->org.opensearch.security.securityconf.impl.v7.RoleV7$Index["excluded_index_patterns"])”
}
],
“type”: “unrecognized_property_exception”,
“reason”: “Unrecognized field "excluded_index_patterns" (class org.opensearch.security.securityconf.impl.v7.RoleV7$Index), not marked as ignorable (5 known properties: "index_patterns", "dls", "fls", "allowed_actions", "masked_fields"])\n at [Source: UNKNOWN; byte offset: #UNKNOWN] (through reference chain: org.opensearch.security.securityconf.impl.v7.RoleV7["index_permissions"]->java.util.ArrayList[0]->org.opensearch.security.securityconf.impl.v7.RoleV7$Index["excluded_index_patterns"])”
},
“status”: 500
}

There is no excluded_index_patterns property according to the code

@SlavaUtesinov The security plugin doesn’t allow to exclude indices in the index pattern.
As you’ve stated, this worked with Snapshots. That is a different module of OpenSearch.

Hi, @pablo . Do we have any alternatives?

@SlavaUtesinov At this point you can’t “exclude” a single index from index_patterns when you also grant *. index_patterns are only positive matches (no negation), and permissions are effectively the union of all matching patterns across all assigned roles.

i.e.

pablo:
  reserved: false
  hidden: false
  cluster_permissions: []
  index_permissions:
  - index_patterns:
    - "*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices_all"
  - index_patterns:
    - "index*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions: []
  tenant_permissions:
  - tenant_patterns:
    - "global_tenant"
    allowed_actions:
    - "kibana_all_write"
  static: false

In this scenario, user will always have full access to index* indices even when allowed_actions were not defined specifically for that index pattern.

As a workaround, I suggest to use a list of indices instead of ‘*’.

This is not a bug as this feature never existed in OpenSearch security plugin. You could consider opening a feature request instead.

There is currently a GitHub bug reported, you could comment there with your scenario.