Describe the issue:
I have created a user with limited permissions to access some index patterns. After logging in with the above created user credentials, accessing index patterns to which it doesn’t have permission is giving ‘SEARCH ERROR’ instead of ‘PERMISSION ERROR’.
Relevant Logs or Screenshots:
{“log”:{“message”:“[security_exception]: no permissions for [indices:data/read/search] and User [name=chandana, backend_roles=[offline_access, ep-role, uma_authorization, kibanauser, default-roles-bssc], requestedTenant=null]”},“extension”:{“type”:“log”,“tags”:[“error”,“opensearch”,“data”],“pid”:146},“type”:“log”,“level”:“info”,“system”:“BSSC”,“systemid”:“3363716ae1c447e5b0ca626c6a0bf536”,“host”:“sa-bssc-dashboards-664f8c4db7-8gl79.sanjay”,“timezone”:“UTC”,“time”:“2023-04-26T16:40:26Z”}
I had that happen to myself. What I did was using my “admin” account , I created a new role and a action/permission group that were needed. Mapped the user/s to the role and added the ActionGroup to that role under Cluster permissions. I have found this to be easiest way for myself specially when adding more users to the same tenant.
EDIT: I forgot to say, I noticed when i do not map the user, it seams to default to the role “own_index”.
Here is an example of someusers mapped with full access.
hi,
The above issue is still persisting with Opensearch v2.9.0 version.
I have created a user with limited permissions to access certain index patterns. After logging in with the above created user credentials, accessing index patterns to which it doesn’t have permission is giving ‘SEARCH ERROR’ instead of ‘PERMISSION ERROR’.
hi,
i have tried below configuration for opensearch version 2.11.0. and when I try to deploy using helm charts, and see below error, could you please help with this issue -
Populate config from /etc/opensearch/securityconfig/
ERR: Seems /etc/opensearch/securityconfig/config.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "do_not_fail_on_forbidden" (class org.opensearch.security.securityconf.impl.v7.ConfigV7$Kibana), not marked as ignorable (6 known properties: "server_username", "private_tenant_enabled", "multitenancy_enabled", "index", "default_tenant", "opendistro_role"])
at [Source: UNKNOWN; line: 1, column: 109] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["config"]->org.opensearch.security.securityconf.impl.v7.ConfigV7["dynamic"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Dynamic["kibana"]->org.opensearch.security.securityconf.impl.v7.ConfigV7$Kibana["do_not_fail_on_forbidden"])
But, after logging in with created user credentials, accessing an indexpattern using a user which has limited permissions I get “No results match your search criteria”, I expect that it would display a permission error rather showing permission error.
But, after logging in with created user credentials, accessing an indexpattern using a user which has limited permissions I get “No results match your search criteria”, I expect that it would display a permission error rather showing “No results match your search criteria”.
This issue is observed on ELK version 2.12.0 version.
