Index Level Permission of security plugin is not working with list of indices in role

Hi,

I have created role that copies the permissions of admin limited to list of indices and single tenant.

Below is the API used to create my role.

PUT _opendistro/_security/api/roles/ars-admin
{
“cluster_permissions”: [
" * "
],
“index_permissions”: [
{
“index_patterns”: [
" ars-* "
],
“dls”: “”,
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
" * "
]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [
“ars”
],
“allowed_actions”: [
“kibana_all_write”
]
}
]
}

I have mapped users as ars-admin backend role should be assigned with this role. Role is being assigned to the user and tenant permission limiting to ars tenant only.

But when I tried to use GET API for indices it started throwing permission denied error as below.

“no permissions for [indices:monitor/settings/get] and User [name=ars user, backend_roles=[ars-role, offline_access, ars-admin, uma_authorization], requestedTenant=ars]”

On changing index_patterns: [ “*” ] in the role this issue getting resolved.

How can I resolve this permission issue??

Any help is more appreciated.

@hari97 Can you try one of these solutions.

  1. Add indices:monitor/settings/get to ars-role
  2. Configure do_not_fail_on_forbidden: true
    OpenSearch Dashboards multi-tenancy - OpenSearch documentation

Thanks @pablo for your quick response.
allowed_actions for index is * in my role.

Sorry @pablo I missed to mention that I am using Opendistro. There I couldn’t find do_not_fail_on_forbidden: true option.

"config" : {
    "dynamic" : {
      "filtered_alias_mode" : "warn",
      "disable_rest_auth" : false,
      "disable_intertransport_auth" : false,
      "respect_request_indices_options" : false,
      "kibana" : {
        "multitenancy_enabled" : true,
        "server_username" : "kibanaserver",
        "index" : ".kibana"
      },

On including do_not_fail_on_forbidden: true, some random error as below.

“Unrecognized field "do_not_fail_on_forbidden" (class com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Kibana), not marked as ignorable (4 known properties: "opendistro_role", "multitenancy_enabled", "server_username", "index"])\n at [Source: UNKNOWN; line: -1, column: -1] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7["dynamic"]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Dynamic["kibana"]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.ConfigV7$Kibana["do_not_fail_on_forbidden"])”

@hari97 That option is available in OpenDistro too as per documentation.

It looks like you’ve placed that under kibana: section where it should be at the same level as kibana:.
Please double check your indent in config.yml.

No luck @pablo . I have tried that and added indices:monitor/settings/get too.

Your index pattern seems weird to me you have some white spaces in it " ars-* " it should probably be "ars-*"

@hari97 Could you run the below command and share the result?

curl --insecure -u ars_user -XGET https://<ES_node>:9200/_opendistro/_security/authinfo?pretty

No… It doesn’t have any space. While creating topic here I have provided it for clear understanding. it is exactly “ars-*”.

@pablo , Please find the following output of

curl --insecure -u ars_user -XGET https://<ES_node>:9200/_opendistro/_security/authinfo?pretty

Output:

{
  "user" : "User [name=ars user, backend_roles=[ars-role, offline_access, uma_authorization], requestedTenant=ars]",
  "user_name" : "ars user",
  "user_requested_tenant" : "ars",
  "remote_address" : "xxx.xxx.xx.xx:xxxx",
  "backend_roles" : [
    "ars-role",
    "offline_access",
    "uma_authorization"
  ],
  "custom_attribute_names" : [
    "attr.jwt.iss",
    "attr.jwt.session_state",
    "attr.jwt.auth_time",
    "attr.jwt.typ",
    "attr.jwt.email_verified",
    "attr.jwt.preferred_username",
    "attr.jwt.roles",
    "attr.jwt.given_name",
    "attr.jwt.aud",
    "attr.jwt.acr",
    "attr.jwt.resource_access",
    "attr.jwt.allowed-origins",
    "attr.jwt.realm_access",
    "attr.jwt.azp",
    "attr.jwt.family_name",
    "attr.jwt.scope",
    "attr.jwt.sub",
    "attr.jwt.name",
    "attr.jwt.exp",
    "attr.jwt.iat",
    "attr.jwt.jti",
    "attr.jwt.email"
  ],
  "roles" : [
    "own_index",
    "ars-role",
    "alerting_read_access"
  ],
  "tenants" : {
    "ars user" : true,
    "ars" : false
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@pablo, Is there any information to share that will provide more info on issue??

Given access to all system indices. Even after the behavior didn’t change.
Please suggest some workaround to fix this issue.

Thanks in advance.