"hosts" in rolesmapping is not working

Security
1

Hi all,

I am running OpenSearch 3.2.0 on my localhost and I am trying to map a user to a specifc role from a specific host (hostname or IP). I followed the docs API - OpenSearch Documentation but it does not seem to be work! I appreciate your help. Below are the steps I followed.

PUT testindex/_doc/1
{
  "name": "hello"
}

PUT _plugins/_security/api/internalusers/testuser
{
  "password": "SrchUsr12345789@"
}

PUT _plugins/_security/api/roles/testindex_role
{
  "cluster_permissions": [],
  "index_permissions": [
    {
      "index_patterns": [
        "testindex"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read"
      ]
    }
  ],
  "tenant_permissions": []
}

PUT _plugins/_security/api/rolesmapping/testindex_role
{
  "users": [
    "testuser"
  ],
  "backend_roles": [
    "testindex_role"
  ],
  "hosts": [
    "10.0.0.1"
  ]
}

The I perform search from 127.0.0.1 using testuser as shown below.

curl -k -u testuser:SrchUsr12345789@ https://localhost:9200/testindex/_search

As you can see in the result it is returning eventhough I am calling from 127.0.0.1 and not from 10.0.0.1

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 1,
      "relation": "eq"
    },
    "max_score": 1.0,
    "hits": [
      {
        "_index": "testindex",
        "_id": "1",
        "_score": 1.0,
        "_source": {
          "name": "hello"
        }
      }
    ]
  }
}

In addition, “opensearch_security.host_resolver_mode: ip-hostname” mentioned in API - OpenSearch Documentation does not seem to be a valid configuration. Can anyone give a working example of it and of the above?

Thanks

2

@asfoorial Your output is correct and expected. When the security plugin checks roles mapping, it uses logical OR instead of AND.

In this case, your mapping is trying to match either user, role or host.

If you’d like to rely on the host only, then you must remove user and role values.

This is my working example. It will work for IP 172.18.0.1 and will fail for localhost

PUT _plugins/_security/api/rolesmapping/testindex_role
{
  "users": [],
  "backend_roles": [],
  "hosts": [
     "172.18.0.1"
  ]
}

curl -k -u testuser:Eliatra123 https://localhost:9200/_plugins/_security/authinfo?pretty
{
  "user" : "User [name=testuser, backend_roles=[], requestedTenant=null]",
  "user_name" : "testuser",
  "user_requested_tenant" : null,
  "remote_address" : "172.18.0.1:34664",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index",
    "testindex_role"
  ],
  "tenants" : {
    "testuser" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : nul

curl -k -u testuser:Eliatra123 https://localhost:9200/testindex/_search?pretty
{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  }`,
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "testindex",
        "_id" : "1",
        "_score" : 1.0,
        "_source" : {
          "name" : "hello"
        }
      }
    ]
  }
}

curl -k -u testuser:Eliatra123 https://localhost:9200/_plugins/_security/authinfo?pretty
{
  "user" : "User [name=testuser, backend_roles=[], requestedTenant=null]",
  "user_name" : "testuser",
  "user_requested_tenant" : null,
  "remote_address" : "[::1]:54828",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "testuser" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

curl -k -u testuser:Eliatra123 https://localhost:9200/testindex/_search?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "no permissions for [indices:data/read/search] and User [name=testuser, backend_roles=[], requestedTenant=null]"
      }
    ],
    "type" : "security_exception",
    "reason" : "no permissions for [indices:data/read/search] and User [name=testuser, backend_roles=[], requestedTenant=null]"
  },
  "status" : 403
}
3

What I want to do is to restrict a specific user to only specific hosts. Is that possible? In my example above, I want testuser to be able to search testindex only from host 10.0.0.1. To clarify my requirement, I want to have a user that performs indexing and it should have full access to the index. However, I want it to have that access only on a specific node (indexing node).

4

The below worked for me,… indirect but works.

PUT _plugins/_security/api/internalusers/testuser
{
“password”: “SrchUsr12345789@”
}

PUT _plugins/_security/api/roles/limit_user_role
{
“cluster_permissions”: ,
“index_permissions”: [
{
“index_patterns”: [
“testindex”
],
“dls”: “”“{
“bool”: {
“must”: [
{
“script”: {
“script”: {
“source”: “params.expected_value == ‘testuser’”,
“params”: {
“expected_value”: “testuser”
}
}
}
},
{
“match_all”: {}
}
]
}
}”“”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“data_access”
]
}
],
“tenant_permissions”:
}

PUT _plugins/_security/api/rolesmapping/limit_user_role
{

“hosts”: [
“192.168.89.135”
]
}