LDAP backend group - Opensearch role permissions issue

Hi,

I am using ldap backend groups mapped to different roles which works fine,
but am having problem with permissions when a specific backend group is mapped to multiple different opensearch roles.

It seems like the opensearch role with most restrictive permissions beats the role which has higher permissions,
is that by design or is there a way to overcome this ?

Example:

<roles.yml>

Custom roles

Index Mgmt (view access)

With this role you can view “Discover” and “Stack Mgmt - Index Patterns”,“Index Mgmt - Indices”

view-all-indices:
reserved: true
cluster_permissions:
- “cluster:monitor*”
- “cluster:admin/opendistro/ism*”
index_permissions:
- index_patterns:
- “*”
allowed_actions:
- “indices:admin/data_stream/get”
- “indices:admin/resolve/index”
- “indices:admin/aliases/get”
- “indices:monitor/settings/get”
- “indices:monitor/stats”
- “indices:monitor/recovery”
- “indices:data/read/search”

test-app-role
With this role you can view “Discover” and “Stack Mgmt - Index Patterns”
But you cannot list Indices within “Index Mgmt - Indices”,
you get an “indices:admin/aliases/get” permission error, only way to solve this is to change index pattern to “*”

test-app-role:
reserved: true
cluster_permissions:
- “cluster:monitor*”
- “cluster:admin/opendistro/ism*”
index_permissions:
- index_patterns:
- “kibana”
- “index1*”
allowed_actions:
- “indices:admin*”
- “indices:data*”
- “indices:monitor*”
tenant_permissions:
- tenant_patterns:
- “"
allowed_actions:
- "”

<roles_mapping.yml>

Custom roles_mapping

If group is member of both roles it still does not work.

view-all-indices:
reserved: true
backend_roles:

• “ldap_test_app_group”

test-app-role:
reserved: true
backend_roles:

• “ldap_test_app_group”

Thing is that the “test-app-role” should be able to read/write/search its own index1 AND list all other indices
Would really appreciate if someone are able to help with this issue

Best Regards
//Dennis

@denkar Have you tried .kibana or .kibana* as your index pattern in the role?

If you execute the command below, do you see only the described roles?
Could you share the output?

curl --insecure -u <test_user> -XGET https://<OpenSearch_node_FQDN_or_IP>:9200/_plugins/_security/authinfo?pretty

Hi,

test-app-role:
Added the index pattern “.kibana*” to the list and kept the “index1*” , but the test user still does not have the permission to see/list all indexes.

[2023-05-08T13:04:20,031][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch] No index-level perm match for User [name=api-test, backend_roles=[api-test]
[2023-05-08T13:04:20,031][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch] No permissions for [indices:admin/data_stream/get]

Here is the result from the above command:

“user” : “User [name=api-test, backend_roles=[api-test], requestedTenant=null]”,
“user_name” : “api-test”,
“user_requested_tenant” : null,
“remote_address” : “10.126.2.158:58850”,
“backend_roles” : [
“api-test”
],
“custom_attribute_names” : [
“ldap.dn”,
“attr.ldap.hasSubordinates”,
“attr.ldap.entryUUID”,
“attr.ldap.subschemaSubentry”,
“attr.ldap.createTimestamp”,
“attr.ldap.modifyTimestamp”,
“ldap.original.username”,
“attr.ldap.creatorsName”,
“attr.ldap.structuralObjectClass”,
“attr.ldap.objectClass”,
“attr.ldap.uid”,
“attr.ldap.modifiersName”
],
“roles” : [
“own_index”,
“api-test-indices”
],
“tenants” : {
“global_tenant” : false,
“admin_tenant” : false,
“api-test-indices” : true
},
“principal” : null,
“peer_certificates” : “0”,
“sso_logout_url” : null
}

Maybe it has something to do with the tenant config ?

Best Regards
//Dennis

@denkar

I’ve tested your roles and when I use api-test role then I can’t list the indices in “Index Mgmt - Indices”. However, when both are assigned then I can list indices.

Could you share your opensearch_dashbaords.yml file?

@denkar Please also share opensearch.yml.

Hi,

Here are the files.

opensearch.yml

cluster.name: opensearch
path.logs: /var/log/opensearch

network.host: localhost
http.host: 0.0.0.0
http.port: 9200

plugins.security.ssl.transport.pemcert_filepath: ./cert/chain.pem
plugins.security.ssl.transport.pemkey_filepath: ./cert/privatekey.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: ./cert/ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: ./cert/chain.pem
plugins.security.ssl.http.pemkey_filepath: ./cert/privatekey.pem
plugins.security.ssl.http.pemtrustedcas_filepath: ./cert/ca.pem
plugins.security.ssl.http.clientauth_mode: OPTIONAL
plugins.security.allow_default_init_securityindex: true
plugins.security.authcz.admin_dn:

• CN=opensearch.xxxxx.xx
  plugins.security.nodes_dn:
• CN=opensearch.xxxxx.xx
  plugins.security.audit.type: internal_opensearch
  plugins.security.enable_snapshot_restore_privilege: true
  plugins.security.check_snapshot_restore_write_privileges: true
  plugins.security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
  plugins.security.system_indices.enabled: true
  plugins.security.system_indices.indices: [“.plugins-ml-model”, “.plugins-ml-task”, “.opendistro-alerting-config”, “.opendistro-alerting-alert*”, “.opendistro-anomaly-results*”, “.opendistro-anomaly-detector*”, “.opendistro-anomaly-checkpoints”, “.opendistro-anomaly-detection-state”, “.opendistro-reports-", ".opensearch-notifications-”, “.opensearch-notebooks”, “.opensearch-observability”, “.opendistro-asynchronous-search-response*”, “.replication-metadata-store”]
  node.max_local_storage_nodes: 3
  plugins.security.disabled: false

opensearch_dashboards.yml

server.host: “127.0.0.1”

opensearch.hosts: [https://opensearch.xxxxx.xx:9200]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch.password: xxxxx
opensearch.requestHeadersAllowlist: [ authorization,securitytenant ]

logging.dest: /var/log/opensearch-dashboard/opensearch-dashboard.log
logging.quiet: false

opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.enable_global: true
opensearch_security.multitenancy.tenants.enable_private: true
opensearch_security.multitenancy.tenants.preferred: [“Global”]
opensearch_security.readonly_mode.roles: [kibana_read_only]
opensearch.ssl.certificateAuthorities: [“/usr/opensearch/config/cert/ca.pem”]

Do you use client certificate authentication?

Why do you need this in the opensearch_dashboards.yml? This is not required when you
have verificationMode set to none.

opensearch.ssl.certificateAuthorities: [“/usr/opensearch/config/cert/ca.pem”]

Nope, I dont use client cert. auth.

Misplaced config…will disable it right away and try again,
thanks for helping out

Best Regards
//Dennis

Hi again,

Issue still remains even though I removed the line,
opensearch.ssl.certificateAuthorities: [“/usr/opensearch/config/cert/ca.pem”] from opensearch_dashboards.yml

When the user logs into the GUI and tries to view all the Indices under Index Mgmt the following error occurs:
“[security_exception] no permissions for [indices:monitor/recovery] and User [name=api-test, backend_roles=[api-test], requestedTenant=]”

Config from roles.yml is below:

api-test:
reserved: true
cluster_permissions:
- “cluster:monitor*”
- “cluster:admin/opendistro/ism*”
index_permissions:
- index_patterns:
- “.kibana*”
- “index1*”
allowed_actions:
- “indices:admin*”
- “indices:data*”
- “indices:monitor*”
tenant_permissions:
- tenant_patterns:
- “"
allowed_actions:
- "”

Seems like that you really need to have the
- index_patterns:
- “*”
In order to view all indexes ?

Best Regards
//Dennis

@denkar If I use only api-test role I won’t be able to see the indices no matter if I have or not ‘*’ in index_patters.

However, I’ve found that your index allowed actions didn’t work for me.

OpenSearch didn’t recognize them. I had to set the exact permissions as you had in view-all-indices role.

    allowed_actions:
    - "indices:admin/data_stream/get"
    - "indices:admin/resolve/index"
    - "indices:admin/aliases/get"
    - "indices:monitor/settings/get"
    - "indices:monitor/stats"
    - "indices:monitor/recovery"
    - "indices:data/read/search"

Then only the role with * could list the indices.

You could report it as a bug in GitHub OpenSearch security.
If you do, please share the link to the bug here.