I have an OpenSearch 1.2.4 cluster with the following security configs
{
"config": {
"dynamic": {
"filtered_alias_mode": "warn",
"disable_rest_auth": false,
"disable_intertransport_auth": false,
"respect_request_indices_options": false,
"kibana": {
"multitenancy_enabled": true,
"server_username": "kibanaserver",
"index": ".kibana"
},
"http": {
"anonymous_auth_enabled": false,
"xff": {
"enabled": false,
"internalProxies": "192\\.168\\.0\\.10|192\\.168\\.0\\.11",
"remoteIpHeader": "X-Forwarded-For"
}
},
"authc": {
"basic_internal_auth_domain": {
"http_enabled": true,
"transport_enabled": true,
"order": 1,
"http_authenticator": {
"challenge": true,
"type": "basic",
"config": {}
},
"authentication_backend": {
"type": "intern",
"config": {}
},
"description": "Authenticate via HTTP Basic against internal users database"
}
},
"authz": {},
"auth_failure_listeners": {},
"do_not_fail_on_forbidden": true,
"multi_rolespan_enabled": true,
"hosts_resolver_mode": "ip-only",
"do_not_fail_on_forbidden_empty": true
}
}
}
Created an internal role with all kinds of index permissions for index pattern sem*; assign this role to an internal user
curl -XPUT https://localhost:9200/_plugins/_security/api/roles/sem-role -H 'Content-Type: application/json' -d'
{
"cluster_permissions": [
"cluster_monitor"
],
"index_permissions": [{
"index_patterns": [
"sem*"
],
"allowed_actions" : ["*"]
}]
}
'
curl -XPUT https://localhost:9200/_plugins/_security/api/internalusers/sem-user -H 'Content-Type: application/json' -d'
{
"password": "######",
"opendistro_security_roles": ["sem-role"]
}
'
Following APIs fail for this newly created user
- GET Aliases
# curl https://localhost:9200/_cat/aliases/sem*?pretty -u sem-user
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/aliases/get] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/aliases/get] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
},
"status" : 403
}
Changing index_patterns to “*” fixes this access issue. But this defeats the purpose of having a role in the first place if this user is able to access all indices.
- INDEX DOCUMENT
# curl -u sem-user -X POST "https://localhost:9200/sem1234/_doc/1?pretty" -H 'Content-Type: application/json' -d'
{
"@timestamp": "2000-11-15T13:12:00",
"message": "test",
"user": {
"id": "abcd"
}
}
'
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:data/write/bulk] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:data/write/bulk] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
},
"status" : 403
}
The index pattern “sem*” works as expected for CREATE INDEX API. It allows creating index name say sem1234 and blocks creating an index with name asem1234
# curl -XPUT https://localhost:9200/sem1234?pretty -u sem-user
{
"acknowledged" : true,
"shards_acknowledged" : true,
"index" : "sem1234"
}
# curl -XPUT https://localhost:9200/asem1234?pretty -u sem-user
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/create] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
}
],
"type" : "security_exception",
"reason" : "no permissions for [indices:admin/create] and User [name=sem-user, backend_roles=[], requestedTenant=null]"
},
"status" : 403
}
#
Any idea why the basic APIs such as indexing documents don’t work with the given permission?