Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.11.1
Describe the issue:
I have assigned the index_permissions to a role and assigned the role to an ID. From roles.yml, the permissions are:
index_permissions:
- index_patterns:
- ‘.opendistro-alerting*’
- ‘.opendistro-reports*’
- ‘.opendistro-ism*’
allowed_actions:
- ‘manage_aliases’
- ‘indices_monitor’
- ‘indices:admin/aliases’
- ‘indices:admin/get’
- ‘indices:admin/create’
- ‘indices:admin/template/get’
- ‘indices:admin/index_template/get*’
- ‘indices:admin/data_stream/get*’
- ‘indices:admin/aliases/get*’
But when I use this ID to try to access templates, data-stream, or aliases, I see the error message:
[security_exception] no permissions for [indices:admin/index_template/get] …
What other permissions am I missing?
Configuration:
Linux
Chrome
Relevant Logs or Screenshots:
Hi @CarolynR ,
Could you please try changing indices:admin/index_template/get*
to indices:admin/index_template/get
?
I am pretty sure I have tried that in the past, but just tried it again and still see the same problem. I get similar messages when an ID with this roles tries to access details for data streams and aliases.
Could you please send an example of your request? How did you install OpenSearch?
Could you please share the output of the following command?
GET _plugins/_security/api/roles/<your-role-name>
The output of the command:
GET _plugins/_security/api/roles/zdapui_admin
is:
{
“zdapui_admin”: {
“reserved”: true,
“hidden”: false,
“cluster_permissions”: [
“cluster_composite_ops”,
“cluster_monitor”,
“cluster:admin/opendistro/alerting/",
"cluster:admin/opendistro/reports/”,
“cluster:admin/opensearch/notifications/",
“cluster:admin/opensearch/ql/datasources/read”,
“cluster:admin/opendistro/ism/policy/search”,
“cluster:admin/opendistro/ism/policy/get”,
“cluster:admin/opendistro/ism/managedindex/explain”,
“cluster:admin/component_template/get”,
"cluster:admin/opendistro/rollup/get/”,
“cluster:admin/opendistro/transform/get/"
],
“index_permissions”: [
{
“index_patterns”: [
".opendistro-alerting”,
“.opendistro-reports*”,
“.opendistro-ism*”
],
“fls”: ,
“masked_fields”: ,
“allowed_actions”: [
“indices_monitor”,
“indices:admin/get”,
“indices:admin/create”,
“indices:admin/index_template/get”,
“indices:admin/data_stream/get”,
“indices:admin/aliases/get”
]
}
],
“tenant_permissions”: ,
“static”: false
}
}
OpenSearch is installed in a docker container. After assigning the zdapui_admin role to the id, I go to the ISM dashboard and click on Data streams. The message
[security_exception] no permissions for [indices:admin/data_stream/get] …
is then displayed.
Hi @CarolynR,
Could you please send an example URL or a screenshot of your ISM dashboard? What OpenSearch logs do you have when this message is displayed?
Also, please check if your indexes are in the list of system indexes:
I found that the specified index permissions only apply to the specified index patterns. If I need general index permissions for a role, they need to be specified in a different manner.
Also, I found that despite that name the “indices:admin/index_template/get” needs to be specified as a cluster permission.
May I request that the documentation for the permissions be reviewed and fleshed out more?