Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Open Search 2.15 version
When i create a role for a user to access to see the data only for a specific index by specifying the index name like epcis_index or epcis_* it is giving security exception “[security_exception] no permissions for [indices:monitor/settings/get”. But if i specify index as “*” it works, but it will list out all the indexes in the system.
How to resolve the issue.
Describe the issue:
Configuration:
Relevant Logs or Screenshots:
Hi @jinoinfo ,
Have you tried adding the indices:monitor/settings/get permission to your role?
Yes i did… Below is my role structure.
{
“cluster_permissions”: [
“cluster:monitor/nodes/info”,
“cluster:monitor/health”,
“cluster:monitor/state”,
“cluster:monitor/main”,
“cluster:monitor/settings/get”,
“cluster:admin/opendistro/ism/managedindex/explain”,
“cluster:admin/opensearch/ql/datasources/read”,
“cluster:admin/opensearch/observability/get”,
“cluster:admin/opendistro/ism/policy/search”
],
“index_permissions”: [
{
“index_patterns”: [“epcis_“],
“allowed_actions”: [“read”, “indices:monitor/settings/get”, “indices:monitor/stats”,“monitor”,“indices:admin/data_stream/get”,“indices:monitor/recovery”,“indices:data/read/get”,“indices:data/read/search”,“indices:data/write/index”,“indices:data/write/bulk[s]”]
}
],
“tenant_permissions”: [
{
“tenant_patterns”: [“global_tenant”],
“allowed_actions”: [“kibana_all_write”, “kibana_all_read”]
}
]
}
this works fine if i give index pattern as “index_patterns”: [””],
Any help/ suggestion will be very much appreciated
Hi @jinoinfo ,
When did you receive the exception? Did the user use OpenSearch Dashboards?
Could you please run the following command and check if the exception occurs afterward?
curl -k -u "username":"password" -XGET https://localhost:9200/epcis_index/_search
Hi @Eugene7 :
when i modified the index pattern as below, basically by adding “kibana*” along with my index(epcis*) i am able to see the index pattern and corresponding dashboard. This was my major concern and got it resolved.
“index_patterns”: [
“epcis*”,
“.kibana*”
],
Second issue is
When i am accessing index management → indexes it is not showing this index to me i can see the error in the console as
“response: ‘{“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“no permissions for [indices:monitor/settings/get] and User [name=supplier-user-ro, backend_roles=[epcis_Index_ro], requestedTenant=]”}],“type”:“security_exception”,“reason”:“no permissions for [indices:monitor/settings/get] and User [name=supplier-user-ro, backend_roles=[epcis_Index_ro], requestedTenant=]”},“status”:403}’”
Hi @jinoinfo ,
If a user needs to work with OpenSearch Dashboards, It will be better to map the user to the predefined opensearch_dashboards_user role:
@Eugene7 : Yes, that simplified my task which i was doing by adding permissions manually to my custom role.
But still with opensearch_dashboard_user role also same error is happening. This is not an immediate concern for me… but wanted to see whether that security exception is resolvable, so that user will not see any security exception.
I really appreciate your constant help on this topic
Some of the permissions that were added to your role do not exist. I have attached the screenshots below.
Could you please share the output of the following commands?
curl -k -u <admin-username>:<admin-password> -XGET https://localhost:9200/_plugins/_security/api/rolesmapping/<your-role-name>
curl -k -u <admin-username>:<admin-password> -XGET https://localhost:9200/_plugins/_security/api/internalusers/<username>
Also, please try to map your user with the kibana_user role.
Response for curl -k -u : -XGET https://localhost:9200/_plugins/_security/api/rolesmapping/
{
“epcis_Index_ro”: {
“hosts”: ,
“users”: [
“supplier-user-ro”
],
“reserved”: false,
“hidden”: false,
“backend_roles”: [
“epcis_Index_ro”
],
“and_backend_roles”:
}
}
Response for curl -k -u : -XGET https://localhost:9200/_plugins/_security/api/internalusers/
{
“supplier-user-ro”: {
“hash”: “”,
“reserved”: false,
“hidden”: false,
“backend_roles”: [
“epcis_index_ro”
],
“attributes”: {},
“opendistro_security_roles”: ,
“static”: false
}
}
I have noticed a difference between the backend role in the role mapping and the backend role for the user. Can you please change it so that each symbol is the same in the backend_roles parameter?
are you saying the difference is “backend_roles”: [
“epcis_Index_ro”
],
“and_backend_roles”:
} I am not sure why it is coming additionally.
The backend role must be the same for both the role mapping and the user. The current value of the backend role for the user is epcis_index_ro. The value of the backend role for the role mapping is epcis_Index_ro. There is a difference in the “i” character.
Could you please change it so that the backend role is the same for both the role mapping and the user?
