Indices:data/write/bulk Permission Error

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v2.15

Describe the issue:
We are controlling permissions to provide each user with a custom tenant for each project,
but when a user connects to a tenant with a role like the one below, there are cases where the error mentioned in the issue occurs and cases where it does not.
Why does it happen when accessing Discovery or Home?

Through the backend_roles shown in the following log, we create two tenants and allow users to access the two custom tenants,
even though we connected the same role configuration, one side has an error and the other side does not.

Configuration:

            "cluster_permissions": [
                "cluster:admin/opensearch/ql/datasources/read",
                "indices:data/read/mget"
            ],
            "index_permissions": [
                {
                    "index_patterns": {tenant_name}-*,
                    "dls": "",
                    "fls": [],
                    "masked_fields": [],
                    "allowed_actions": ["read"]
                }
            ],
            "tenant_permissions": [
                {
                    "tenant_patterns": [f"{tenant_name}"],
                    "allowed_actions": ["kibana_all_read", "kibana_all_write"],
                }
            ],

Relevant Logs or Screenshots:
Dec 17 19:38:11 opensearch-dashboards[2566944]: {“type”:“log”,“@timestamp”:“2024-12-17T10:38:11Z”,“tags”:[“error”,“opensearch”,“data”],“pid”:2566944,“message”:“[security_exception]: no permissions for [indices:data/write/bulk] and User [name=dev, backend_roles=[ raycluster, test-raycluster], requestedTenant=raycluster]”}

Hi @pizzaman,

Is there a particular action that triggers the error?

Could you share the outputs of the below:


curl --insecure -u <admin_username>:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/roles/raycluster
curl --insecure -u <admin_username>:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/roles/test-raycluster
curl --insecure -u <admin_username>:<admin_password> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/api/rolesmapping?pretty

Best,
mj

This is one of the nuances of the opensearch security model indices:data/write/bulk is considered a cluster_permission. Make sure that one of the roles that the user is mapped to contains this in the cluster_permissions section.

The reason it is a cluster permission is because a bulk action is composed of individual actions and not directly itself connected to indices. When authorizing a bulk request the individual items of the bulk requests are all independently authorized. By adding indices:data/write/bulk to the cluster_permissions of a role you are basically saying that the role is capable of perform a _bulk request.

1 Like