How to disable index pattern delete option for a non-admin user

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Open Search 2.15

Describe the issue:

I want to disable the delete option of index pattern from a non-admin user.
Below are the permission details of the roles…
{
“cluster_permissions”: [
“cluster:monitor/state”,
“cluster:monitor/health”,
“cluster:admin/opendistro/ism/policy/search”,
“cluster_composite_ops_ro”

],
“index_permissions”: [
{
“index_patterns”: [
“epcis*”
],
“dls”: “{"term": {"billto_gln": "0847976000045"}}”,
“allowed_actions”: [
“indices:data/read/get”,
“indices:data/read/search”,
“indices:data/write/index”,
“indices:data/write/bulk”,
“indices:monitor/settings/get”,
“indices:monitor/stats”,
“indices:monitor/recovery”

  ]
},
{
  "index_patterns": [
    ".kibana*"
  ],
  "allowed_actions": [
    "indices:data/read/get",
    "indices:data/read/search",
    "indices:data/write/index",
    "indices:data/write/bulk",
    "indices:monitor/settings/get",
    "indices:monitor/stats",
    "indices:monitor/recovery"

  ]
}

],
“tenant_permissions”: [
{
“tenant_patterns”: [
“global_tenant”
],
“allowed_actions”: [
“kibana_all_read”
]
}
]
}

Configuration:

Relevant Logs or Screenshots:

2

Hi @jinoinfo,

To be able to delete indexes your user is required indices:admin/delete for documents indices:data/write/delete.

Is there a reason the role above requires “cluster_composite_ops_ro” (Default action groups - OpenSearch Documentation).

Would you mind sharing the output of the:

GET _plugins/_security/api/roles/<the role name in question>

and the below (with the user that should NOT have permission to delete):

GET _plugins/_security/authinfo

best,
mj

3

Hi @Mantas

Right now non admin user is able to delete the index pattern. i do not want him to delete the index pattern.

cluster_composite_ops_ro is mainly added for read only option for the non-admin user. Basically the role i defined is for read only capability for the non-admin user for the dashboard. Dash board is read only now, but the index pattern is allowed to delete and i need to make that also read only for the logged in non-admin user

Response for GET _plugins/_security/api/roles/epcis_Index_ro

{
“epcis_Index_ro”: {
“reserved”: false,
“hidden”: false,
“cluster_permissions”: [
“cluster:monitor/state”,
“cluster:monitor/health”,
“cluster:admin/opendistro/ism/policy/search”,
“cluster_composite_ops_ro”
],
“index_permissions”: [
{
“index_patterns”: [
“epcis*”
],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices:data/read/get”,
“indices:data/read/search”,
“indices:monitor/settings/get”,
“indices:monitor/stats”,
“indices:monitor/recovery”
]
},
{
“index_patterns”: [
“.kibana*”
],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices:data/read/get”,
“indices:data/read/search”,
“indices:monitor/settings/get”,
“indices:monitor/stats”,
“indices:monitor/recovery”
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“global_tenant”
],
“allowed_actions”: [
“kibana_all_read”
]
}
],
“static”: false
}
}

Response for GET _plugins/_security/authinfo - Non Admin user

{
“user”: “User [name=admin, backend_roles=[admin], requestedTenant=]”,
“user_name”: “admin”,
“user_requested_tenant”: “”,
“remote_address”: “[::1]:56375”,
“backend_roles”: [
“admin”
],
“custom_attribute_names”: ,
“roles”: [
“own_index”,
“all_access”
],
“tenants”: {
“global_tenant”: true,
“admin_tenant”: true,
“admin”: true
},
“principal”: null,
“peer_certificates”: “0”,
“sso_logout_url”: null
}

4

This is an (the) admin user with “all_access” permissions that is allowed to delete.

You can try Curl instead:


curl --insecure -u <non amin username>:<Password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

Best,
mj

5

Hi @Mantas
Please find the response for GET /_plugins/_security/authinfo?pretty
{
“user”: “User [name=supplier-user-ro, backend_roles=[epcis_Index_ro, kibana_read_only, readall], requestedTenant=]”,
“user_name”: “supplier-user-ro”,
“user_requested_tenant”: “”,
“remote_address”: “[::1]:56373”,
“backend_roles”: [
“epcis_Index_ro”,
“kibana_read_only”,
“readall”
],
“custom_attribute_names”: ,
“roles”: [
“epcis_Index_ro”,
“own_index”,
“readall”
],
“tenants”: {
“supplier-user-ro”: true,
“global_tenant”: false
},
“principal”: null,
“peer_certificates”: “0”,
“sso_logout_url”: null
}

6

Hi @Mantas,

One thing i observed is that, for the index pattern, it is showing delete icon, but if non-admin user clicks on the icon, nothing happens in the front end ( not getting deleted) and in the back end console it is throwing the permission denied. In this aspect i am good that user is not able to perform the deletion of index pattern.

Is there any way to remove that icon from the front end in case user is not having permission to delete based on the role.