Not possible to create short URLs with read only permissions

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch: v2.3.0
Dashboard: v2.3.0
Server OS: AWS managed
Browser: Firefox, Edge, Chrome

Describe the issue:
Hello,

I have a few read-only users that must be able to create short URLs from the Share menu. These users have access to 1 or 2 tenants, but only in read-only mode. When they click on the Short URL button, they get the following message:
Unable to create short URL. Error: Forbidden

I tried to give them write permissions on the tenants’ index, but it doesn’t work. It only works if I give read-write permissions to the specific tenant(s) from the role. However, I don’t want the users to be able to create or modify anything other than short URLs. Is there a way to achieve that?

Thank you in advance for your help.

Lucas

Role
Cluster permissions:

  • cluster:admin/opendistro/alerting/alerts/get
  • cluster:admin/opendistro/alerting/alerts/ack
  • cluster:admin/opendistro/alerting/destination/get
  • cluster:admin/opendistro/alerting/monitor/get
  • cluster:admin/opendistro/alerting/monitor/search
  • cluster_composite_ops_ro

Index permissions:

  • * → Read
  • .tenant1_index, .tenant2_index, .kibana* → write

Tenant permissions:

  • tenant1, tenant2 → Read only

Relevant Logs or Screenshots:
image

2

@scrawfor would you have input on this?

3

Hi @Lucas and @kris,

Thank you for reaching out.

I looked at the code surrounding the “short URL” creation and found some information that may be helpful. Currently the Observability plugin, which controls visualization creation, only has 4 permissions. These permissions are simply, get, create, update, and delete. Because these roles are so broad, it is not possible to directly apply a new set of permissions that will filter capabilities as you are requesting. You can implement controls on your end to restrict functionality but the details of this implementation would require you intercepting and blocking the REST calls trying to access actions beyond the “create short URL” button you want.

I will file an issue to get some more specific permissions made so we can allow for greater configuration.

I hope this clears things up,

Stephen

1 Like
4

Hello @scrawfor,

Thank you for your answer.

Intercepting and blocking REST API calls seems a bit overkill for this. The full links still work but it would be better to use short URLs.

I’ll wait for a software update that includes these new permissions. Meanwhile, I’ll check with my colleagues what is best to do between giving permissions to achieve that or using full URLs until we can set better permissions.

But for sure, your message cleared things up. Thanks a lot.

Regards,

Lucas

5

Hi !

We have the same problem. Users who only have read rights, and for good reason, cannot set short URLs. It would be good if that could be set more explicitly in the permissions.

If someone already has a good solution, we would be very happy if they share it with us :slight_smile:

regards
Christian

6

Hello Christian,

Good to know I’m not the only one with this issue!

Unfortunately, I’m still waiting for a solution about the permissions. In the meanwhile, the users keep using full links instead of short URLs. Not the best, but it works.

Regards,

Lucas

7

@Lucas @cmah Just to let you know that @scrawfor has filed the issue in OpenSearch Security Github.

Please use the below link to track and comment on the issue.

3 Likes