Login Issues after applying DLS to Role

Security
1

Hi, facing the login issues after applying the DLS to a role. Currently using the OS v 2.3 and ingested the Sample Flight data and Ecommerce Data,
Role config (Cluster Permission: - * Index permission: - *)
Sample DLS query using: -
{
“bool”: {
“must”: {
“match”: {
“OriginWeather”: “Sunny”
}
}
}
}
After applying and saving the changes when I am logging from the user mapped to this role its showing: - {“statusCode”:500,“error”:“Internal Server Error”,“message”:“An internal server error occurred.”}
Help would be grateful!!!

2

@RahulShuklaJP I’ve tried to repro your issue with 2.3 and reported DLS but I didn’t get any error.

Would you mind sharing roles.yml, roles_binding.yml files and the name of the user?

Do you get this 500 error just after login?

3

Name of User: - Kamta

roles_binding.yml : -
{
“security_manager” : {
“hosts” : ,
“users” : [
“Rahul”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“readall_and_monitor” : {
“hosts” : ,
“users” : [
“Santa”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“all_access_copy” : {
“hosts” : ,
“users” : [
“Kamta”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“alerting_ack_alerts” : {
“hosts” : ,
“users” : [
“Santa”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“all_access” : {
“hosts” : ,
“users” : [
“Rahul”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“anomaly_read_access” : {
“hosts” : ,
“users” : [
“Santa”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
},
“alerting_read_access” : {
“hosts” : ,
“users” : [
“Santa”
],
“reserved” : false,
“hidden” : false,
“backend_roles” : ,
“and_backend_roles” :
}
}
roles.yml: -

{
“all_access_copy” : {
“reserved” : false,
“hidden” : false,
“cluster_permissions” : [
"
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“dls” : “”“{
“bool”: {
“must”: {
“match”: {
“OriginWeather”: “Sunny”
}
}
}
}”“”,
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
"
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
"
],
“allowed_actions” : [
“kibana_all_write”
]
}
],
“static” : false
},
“alerting_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster_monitor”,
“cluster:admin/opendistro/alerting/",
“cluster:admin/opensearch/notifications/feature/publish”,
“cluster:admin/opensearch/notifications/configs/get”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices_monitor”,
“indices:admin/aliases/get”,
“indices:admin/mappings/get”
]
}
],
“tenant_permissions” : ,
“static” : false
},
“all_access” : {
“reserved” : true,
“hidden” : false,
“description” : “Allow full access to all indices and all cluster APIs”,
“cluster_permissions” : [
"
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
"
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
"
],
“allowed_actions” : [
“kibana_all_write”
]
}
],
“static” : false
},
“alerting_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/alerting/alerts/get”,
“cluster:admin/opendistro/alerting/destination/get”,
“cluster:admin/opendistro/alerting/monitor/get”,
“cluster:admin/opendistro/alerting/monitor/search”,
“cluster:admin/opensearch/notifications/configs/get”
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“manage_snapshots” : {
“reserved” : false,
“hidden” : false,
“description” : “Provide the minimum permissions for managing snapshots”,
“cluster_permissions” : [
“manage_snapshots”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“indices:data/write/index”,
“indices:admin/create”
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“cross_cluster_replication_follower_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/plugins/replication/autofollow/update”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices:admin/plugins/replication/index/setup/validate”,
“indices:data/write/plugins/replication/changes”,
“indices:admin/plugins/replication/index/start”,
“indices:admin/plugins/replication/index/pause”,
“indices:admin/plugins/replication/index/resume”,
“indices:admin/plugins/replication/index/stop”,
“indices:admin/plugins/replication/index/update”,
“indices:admin/plugins/replication/index/status_check”
]
}
],
“tenant_permissions” : ,
“static” : false
},
“logstash” : {
“reserved” : false,
“hidden” : false,
“description” : “Provide the minimum permissions for logstash and beats”,
“cluster_permissions” : [
“cluster_monitor”,
“cluster_composite_ops”,
“indices:admin/template/get”,
“indices:admin/template/put”,
“cluster:admin/ingest/pipeline/put”,
“cluster:admin/ingest/pipeline/get”
],
“index_permissions” : [
{
“index_patterns” : [
“logstash-"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“crud”,
“create_index”
]
},
{
“index_patterns” : [
beat
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“crud”,
“create_index”
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“index_management_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/ism/managedindex/explain”,
“cluster:admin/opendistro/ism/policy/search”,
“cluster:admin/opendistro/ism/policy/get”,
“cluster:admin/opendistro/rollup/explain”,
“cluster:admin/opendistro/rollup/get”,
“cluster:admin/opendistro/rollup/search”,
“cluster:admin/opendistro/transform/explain”,
"cluster:admin/opendistro/transform/get
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“notifications_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opensearch/notifications/"
],
“index_permissions” : [ ],
“tenant_permissions” : [ ],
“static” : false
},
“notifications_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opensearch/notifications/configs/get”,
“cluster:admin/opensearch/notifications/features”,
“cluster:admin/opensearch/notifications/channels/get”
],
“index_permissions” : [ ],
“tenant_permissions” : [ ],
“static” : false
},
“cross_cluster_replication_leader_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [ ],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices:admin/plugins/replication/index/setup/validate”,
“indices:data/read/plugins/replication/changes”,
“indices:data/read/plugins/replication/file_chunk”
]
}
],
“tenant_permissions” : ,
“static” : false
},
“asynchronous_search_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/asynchronous_search/get”
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“index_management_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/ism/",
"cluster:admin/opendistro/rollup/”,
“cluster:admin/opendistro/transform/",
“cluster:admin/opensearch/notifications/feature/publish”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices:admin/opensearch/ism/"
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“readall_and_monitor” : {
“reserved” : false,
“hidden” : false,
“description” : “Provide the minimum permissions for to readall indices and monitor the cluster”,
“cluster_permissions” : [
“cluster_monitor”,
“cluster_composite_ops_ro”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“read”,
“indices_monitor”
]
}
],
“tenant_permissions” : ,
“static” : false
},
“ml_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/openserach/ml/stats/nodes”,
“cluster:admin/opensearch/ml/models/get”,
“cluster:admin/opensearch/ml/models/search”,
“cluster:admin/opensearch/ml/tasks/get”,
“cluster:admin/opensearch/ml/tasks/search”
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“anomaly_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/ad/detector/info”,
“cluster:admin/opendistro/ad/detector/search”,
“cluster:admin/opendistro/ad/detectors/get”,
“cluster:admin/opendistro/ad/result/search”
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“anomaly_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster_monitor”,
“cluster:admin/opendistro/ad/"
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices_monitor”,
“indices:admin/aliases/get”,
“indices:admin/mappings/get”
]
}
],
“tenant_permissions” : ,
“static” : false
},
“readall” : {
“reserved” : false,
“hidden” : false,
“description” : “Provide the minimum permissions for to readall indices”,
“cluster_permissions” : [
“cluster_composite_ops_ro”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“read”
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“opensearch_dashboards_read_only” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [ ],
“index_permissions” : [ ],
“tenant_permissions” : [ ],
“static” : false
},
“reports_instances_read_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster:admin/opendistro/reports/instance/list”,
“cluster:admin/opendistro/reports/instance/get”,
“cluster:admin/opendistro/reports/menu/download”
],
“index_permissions” : [ ],
“tenant_permissions” : [ ],
“static” : false
},
“opensearch_dashboards_user” : {
“reserved” : true,
“hidden” : false,
“description” : “Provide the minimum permissions for a kibana user”,
“cluster_permissions” : [
“cluster_composite_ops”
],
“index_permissions” : [
{
“index_patterns” : [
“.kibana”,
“.kibana-6”,
".kibana_”,
“.opensearch_dashboards”,
“.opensearch_dashboards-6”,
“.opensearch_dashboards_"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“read”,
“delete”,
“manage”,
“index”
]
},
{
“index_patterns” : [
“.tasks”,
“.management-beats”
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“indices_all”
]
}
],
“tenant_permissions” : [
{
“tenant_patterns” : [
“global_tenant”
],
“allowed_actions” : [
“kibana_all_write”
]
}
],
“static” : false
},
“security_manager” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [ ],
“index_permissions” : [ ],
“tenant_permissions” : [ ],
“static” : false
},
“asynchronous_search_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
"cluster:admin/opendistro/asynchronous_search/
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
"indices:data/read/search
]
}
],
“tenant_permissions” : ,
“static” : false
},
“ultrawarm_manager” : {
“reserved” : false,
“hidden” : false,
“description” : “Provides permissions for performing ultrawarm operations”,
“cluster_permissions” : [
“ultrawarm_cluster”,
“cluster_monitor”
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“ultrawarm_index_read”,
“ultrawarm_index_write”,
“indices_monitor”
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“ml_full_access” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
“cluster_monitor”,
"cluster:admin/opensearch/ml/
],
“index_permissions” : [
{
“index_patterns” : [
"
],
“fls” : [ ],
“masked_fields” : [ ],
“allowed_actions” : [
“indices_monitor”,
“indices:admin/aliases/get”,
“indices:admin/mappings/get”
]
}
],
“tenant_permissions” : [ ],
“static” : false
},
“alerting_ack_alerts” : {
“reserved” : true,
“hidden” : false,
“cluster_permissions” : [
"cluster:admin/opendistro/alerting/alerts/
],
“index_permissions” : ,
“tenant_permissions” : ,
“static” : false
},
“cold_manager” : {
“reserved” : false,
“hidden” : false,
“description” : “Provides permissions for performing cold operations”,
“cluster_permissions” : [
“cold_cluster”
],
“index_permissions” : [
{
“index_patterns” : [
“*”
],
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“cold_index”
]
}
],
“tenant_permissions” : ,
“static” : false
}
}

4

Yes just after login 500 error was shown on browser screen.

5

@RahulShuklaJP I wasn’t aware that your user is assigned to a copy of the all_access role. The DLS query applies to all the indices where it should to the sample one.
You can either add second index permission with the DLS query in the all_access_role or create a separate role with DLS and assign it to the test user.