Permission denied Error message is not displayed in Dashboard

Chandana_EP · May 3, 2023, 12:36am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Opensearch v2.6.0

Describe the issue:
I have created a user with limited permissions to access some index patterns. After logging in with the above created user credentials, accessing index patterns to which it doesn’t have permission is giving ‘SEARCH ERROR’ instead of ‘PERMISSION ERROR’.

Relevant Logs or Screenshots:

{“log”:{“message”:“[security_exception]: no permissions for [indices:data/read/search] and User [name=chandana, backend_roles=[offline_access, ep-role, uma_authorization, kibanauser, default-roles-bssc], requestedTenant=null]”},“extension”:{“type”:“log”,“tags”:[“error”,“opensearch”,“data”],“pid”:146},“type”:“log”,“level”:“info”,“system”:“BSSC”,“systemid”:“3363716ae1c447e5b0ca626c6a0bf536”,“host”:“sa-bssc-dashboards-664f8c4db7-8gl79.sanjay”,“timezone”:“UTC”,“time”:“2023-04-26T16:40:26Z”}

Gsmitt · May 3, 2023, 3:54am

Hey @Chandana_EP

I had that happen to myself. What I did was using my “admin” account , I created a new role and a action/permission group that were needed. Mapped the user/s to the role and added the ActionGroup to that role under Cluster permissions. I have found this to be easiest way for myself specially when adding more users to the same tenant.

EDIT: I forgot to say, I noticed when i do not map the user, it seams to default to the role “own_index”.

Here is an example of someusers mapped with full access.

subha_1 · September 11, 2023, 10:24am

hi,
The above issue is still persisting with Opensearch v2.9.0 version.
I have created a user with limited permissions to access certain index patterns. After logging in with the above created user credentials, accessing index patterns to which it doesn’t have permission is giving ‘SEARCH ERROR’ instead of ‘PERMISSION ERROR’.

pablo · October 6, 2023, 6:06pm

@subha_1 Would you like to have “PERMISSION ERROR” message or an empty result with no error when the user has no privileges to the index?

If you’re looking for the second option then below lines should solve it for you.

config:
  dynamic:
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true

subha_1 · November 29, 2023, 12:40pm

hi,
i have tried below configuration for opensearch version 2.11.0. and when I try to deploy using helm charts, and see below error, could you please help with this issue -

Populate config from /etc/opensearch/securityconfig/
ERR: Seems /etc/opensearch/securityconfig/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "do_not_fail_on_forbidden" (class org.opensearch.security.securityconf.impl.v7.ConfigV7$Kibana), not marked as ignorable (6 known properties: "server_username", "private_tenant_enabled", "multitenancy_enabled", "index", "default_tenant", "opendistro_role"])
at [Source: UNKNOWN; line: 1, column: 109] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["config"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["dynamic"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Dynamic["kibana"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Kibana["do_not_fail_on_forbidden"])

shivani · November 30, 2023, 2:20pm

Hi @pablo

IMO, it would be better if it displays a ‘Permission error’, than having no error at all.

Infact, that was the case with older releases with Opendistro.

When the same issue was reproduced with kibana:7.8.0 and opendistro-security:1.9.0, it gave a permission error.

Shall we raise this as an issue in github?

subha_1 · December 4, 2023, 5:38pm

hi @pablo
I have deployed opensearch dashboard with below configuration as suggested by you.

config:
  dynamic:
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true

But, after logging in with created user credentials, accessing an indexpattern using a user which has limited permissions I get “No results match your search criteria”, I expect that it would display a permission error rather showing permission error.

pablo · December 4, 2023, 8:27pm

What do you mean by that?

subha_1 · March 14, 2024, 10:39am

Hi @pablo
Sorry for a delayed response.
I have deployed opensearch dashboard with below configuration as suggested by you.

config:
  dynamic:
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true

But, after logging in with created user credentials, accessing an indexpattern using a user which has limited permissions I get “No results match your search criteria”, I expect that it would display a permission error rather showing “No results match your search criteria”.
This issue is observed on ELK version 2.12.0 version.

pablo · March 21, 2024, 1:15am

Try removing this option or setting it to false.

Topic		Replies	Views
Permission Issue Setting Up Dashboards Security	2	1060	December 23, 2021
403 Forbidden error on /api/saved_objects/_find?fields=title&per_page=10000&type=index-pattern Security troubleshoot , configure	16	107	October 25, 2024
Permission errors on indices:data/read/search[can_match] Security	2	515	October 20, 2022
On applying DLS in role configuraiton, not able to see index pattern and dashboard details Security troubleshoot	8	47	July 12, 2024
Unrecognized Security Exceptions Security configure	2	660	February 24, 2022

Permission denied Error message is not displayed in Dashboard

Related topics