Not being able to create index_pattern when using index-name-* on odfe 1.11.0

Hi ODFErs,

I’m currently testing odfe v 1.11.0 with multitenancy support. I have created a role and mapped some users/backand-external to it. While defining the index permission i.e. crud, indices_all, index with index pattern index-name-* it doesn’t show anything to the users (only “Couldn’t find any Elasticsearch data
You’ll need to index some data into Elasticsearch before you can create an index pattern.”). But whenever I put only * with the same permission it allows users to create an index pattern.

Did someone else experience the same issue? or am I missing any of the permission/action-role to that specific index? I even tested setting up unlimited but it didn’t work either.

Thanks a lot in advance for your support.

Best,
Gezim

What you are describing sounds like this https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529

1 Like

Thanks a lot, @oscark for your reply. Indeed, it seems the same issue :frowning: . Was wondering how we can (for now) manually add that resolve permission to that role/index-permission without specifying *? I mean, in case we specify * it will allow everyone to touch other’s indices and see everything.

Is there a way to use REST API to PUT such permission to that role/index?

Will be watching the discussion on that issue as well.

Best,

“touch other’s indices and see everything” != see the index name. This is what the resolve API does Resolve index API | Elasticsearch Guide [8.4] | Elastic

I am facing the same issue. Unfortunately the link to the GitHub issue is broken, so I can’t see the full resolution. I tried doing a GET /_resolve/index/* request in the Dev Tools console and got an error that indices:admin/resolve/index is missing. Fair enough I thought, just have to add that permission. However, that permission doesn’t seem to exist.

@oscark, any idea what I might be doing wrong?

EDIT: The OpenDistro Docs do list the permission indices:admin/resolve/index, but it is not visible in my security plugin. I am using AWS Elasticsearch 7.9 (not sure how I can tell which version of OpenDistro that corresponds to).

https://github.com/opensearch-project/security-dashboards-plugin/issues/529

You can should be able to create new action group and the permission to the action group from Kibana, or you could use the API or the securityadmin.sh command.

1 Like

TL;DR: Use the API to set the required permission on the role.

In the end I ended up following the solution suggested in this post. The UX is currently broken and doesn’t allow adding this permission. It works through the API though.

1 Like

Hey @ibtehajn ,

great, thanks a lot for sharing it. Maybe we should also promote this so that this permission is allowed via Open Search Dashboards in the feature release. Not sure if this is already on the roadmap. It is must-have permission for those users who have access to their indices but can’t create their index-pattern-*.

1 Like