Index Level Permission of security plugin is not working with list of indices in role

hari97 · February 16, 2022, 1:03pm

Hi,

I have created role that copies the permissions of admin limited to list of indices and single tenant.

Below is the API used to create my role.

PUT _opendistro/_security/api/roles/ars-admin
{
“cluster_permissions”: [
" * "
],
“index_permissions”: [
{
“index_patterns”: [
" ars-* "
],
“dls”: “”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
" * "
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“ars”
],
“allowed_actions”: [
“kibana_all_write”
]
}
]
}

I have mapped users as ars-admin backend role should be assigned with this role. Role is being assigned to the user and tenant permission limiting to ars tenant only.

But when I tried to use GET API for indices it started throwing permission denied error as below.

“no permissions for [indices:monitor/settings/get] and User [name=ars user, backend_roles=[ars-role, offline_access, ars-admin, uma_authorization], requestedTenant=ars]”

On changing index_patterns: [ “*” ] in the role this issue getting resolved.

How can I resolve this permission issue??

Any help is more appreciated.

pablo · February 16, 2022, 1:21pm

@hari97 Can you try one of these solutions.

Add indices:monitor/settings/get to ars-role
Configure do_not_fail_on_forbidden: true
OpenSearch Dashboards multi-tenancy - OpenSearch documentation

hari97 · February 16, 2022, 1:42pm

Thanks @pablo for your quick response.
allowed_actions for index is * in my role.

Sorry @pablo I missed to mention that I am using Opendistro. There I couldn’t find do_not_fail_on_forbidden: true option.

"config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },

hari97 · February 16, 2022, 1:49pm

On including do_not_fail_on_forbidden: true, some random error as below.

“Unrecognized field "do_not_fail_on_forbidden" (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Kibana), not marked as ignorable (4 known properties: "opendistro_role", "multitenancy_enabled", "server_username", "index"])\n at [Source: UNKNOWN; line: -1, column: -1] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7["dynamic"]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Dynamic["kibana"]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Kibana["do_not_fail_on_forbidden"])”

pablo · February 16, 2022, 2:06pm

@hari97 That option is available in OpenDistro too as per documentation.

It looks like you’ve placed that under kibana: section where it should be at the same level as kibana:.
Please double check your indent in config.yml.

hari97 · February 16, 2022, 5:30pm

No luck @pablo . I have tried that and added indices:monitor/settings/get too.

oscark · February 17, 2022, 9:32am

Your index pattern seems weird to me you have some white spaces in it " ars-* " it should probably be "ars-*"

pablo · February 17, 2022, 1:16pm

@hari97 Could you run the below command and share the result?

curl --insecure -u ars_user -XGET https://<ES_node>:9200/_opendistro/_security/authinfo?pretty

hari97 · February 22, 2022, 3:38pm

No… It doesn’t have any space. While creating topic here I have provided it for clear understanding. it is exactly “ars-*”.

hari97 · February 22, 2022, 4:24pm

@pablo , Please find the following output of

curl --insecure -u ars_user -XGET https://<ES_node>:9200/_opendistro/_security/authinfo?pretty

Output:

{
  "user" : "User [name=ars user, backend_roles=[ars-role, offline_access, uma_authorization], requestedTenant=ars]",
  "user_name" : "ars user",
  "user_requested_tenant" : "ars",
  "remote_address" : "xxx.xxx.xx.xx:xxxx",
  "backend_roles" : [
    "ars-role",
    "offline_access",
    "uma_authorization"
  ],
  "custom_attribute_names" : [
    "attr.jwt.iss",
    "attr.jwt.session_state",
    "attr.jwt.auth_time",
    "attr.jwt.typ",
    "attr.jwt.email_verified",
    "attr.jwt.preferred_username",
    "attr.jwt.roles",
    "attr.jwt.given_name",
    "attr.jwt.aud",
    "attr.jwt.acr",
    "attr.jwt.resource_access",
    "attr.jwt.allowed-origins",
    "attr.jwt.realm_access",
    "attr.jwt.azp",
    "attr.jwt.family_name",
    "attr.jwt.scope",
    "attr.jwt.sub",
    "attr.jwt.name",
    "attr.jwt.exp",
    "attr.jwt.iat",
    "attr.jwt.jti",
    "attr.jwt.email"
  ],
  "roles" : [
    "own_index",
    "ars-role",
    "alerting_read_access"
  ],
  "tenants" : {
    "ars user" : true,
    "ars" : false
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

hari97 · February 23, 2022, 9:56am

@pablo, Is there any information to share that will provide more info on issue??

hari97 · February 28, 2022, 5:09am

Given access to all system indices. Even after the behavior didn’t change.
Please suggest some workaround to fix this issue.

Thanks in advance.

hm21 · February 18, 2024, 1:30pm

did you find a solution?

Topic		Replies	Views
Security Issue: No permissions for [indices:admin/resolve/index] Security	10	12474	April 16, 2021
No permissions for [indices:admin/get] Security	1	2475	April 12, 2021
Permission on Indices Security	16	8061	April 1, 2021
ISM and security permissions Security configure	8	58	August 15, 2024
Permission issue while creating index Security	21	2457	January 10, 2022

Index Level Permission of security plugin is not working with list of indices in role

Related topics