Permission issue while creating index

“”" 2021-10-13T20:55:57,530][INFO ][c.a.o.s.p.PrivilegesEvaluator] [008dac2d5e029914e] No index-level perm match for User [name=admin, backend_roles=[admin], requestedTenant= user ] Resolved [aliases=[ ], allIndices=[ ], types=[ ], originalRequested=[ ], remoteIndices=] [Action [indices:data/read/search]] [RolesChecked [own_index]] “”"

I am facing this issue, I am mentioning the permissions mentioned in roles.yml file for admin role.

allowed_actions:

- "indices:*"

- "indices:admin/create"

- "indices:admin/resolve/index"

- "indices:monitor/*"

- "indices:admin/*"

- "indices:admin/create"

- "indices:admin/mapping/put"

- "indices:admin/aliases*"

- "indices:data/*"

- "indices:data/write*"

- "indices:admin/mapping/put"

- "indices:data/read*"

- "indices:admin/mappings/fields/get*"

- "indices:data/write/delete*"

- "indices:data/read/search*"
  • “indices:data/read/msearch*”
- "indices:data/read/suggest*"

- "indices:data/write/index*"

- "indices:data/write/update*"

- "indices:admin/mapping/put"

- "indices:data/write/bulk*"

- "indices:data/read/get*"

- "indices:data/read/mget*"

- "indices:data/read/mget"

- "indices:data/read/msearch"

- "indices:data/read/mtv"

- "indices:admin/aliases/exists*"

- "indices:admin/aliases/get*"

- "indices:data/read/scroll"

- "indices:data/write/bulk"

- "indices:admin/aliases*"

- "indices:data/write/reindex"

static: false

even though there is a permission mentioned for action " indices:data/read/search ", I am getting this error while trying to create an indices. Could you help me with this issue and guide me to the part where I am making a mistake.

I have raised an issue in GitHub and the link for the same is,
https://github.com/opendistro-for-elasticsearch/opendistro-build/issues/788

@rizwan_kn Is your issue related to admin or kibanaserver user?

Have you made any modifications to the admin user or created an admin role?

Hi @pablo , I am facing the same issue for admin as well as kibanaserver user.

I have created a role for admin and attached the above mentioned permissions.

@rizwan_kn What is the purpose of creating an admin role? That is already built-in.

@pablo We were trying with kibana user first, but we got the error then we tried with Admin. So with the default Admin role also we got the same error so we added more permissions to Admin. That’s the reason extra permissions were added to Admin.

The error we are getting is same for Kibana user and Admin, so if you can help us with Kibana User also, its totally fine. But the reason for the modifying the Admin is as mentioned above.

@rizwan_kn Let’s start with the admin. Does your admin user configuration look like that?

@rizwan_kn One more question, did you lose any functionality in your environment?
The messages regarding kibanaserver and admin users are just INFO level.

@rizwan_kn Can you share your config.yml file?

I am not able to view anything inside Security. It is not clickable.

---

# This is the main Open Distro Security configuration file where authentication
# and authorization is defined.
#
# You need to configure at least one authentication domain in the authc of this file.
# An authentication domain is responsible for extracting the user credentials from
# the request and for validating them against an authentication backend like Active Directory for example.
#
# If more than one authentication domain is configured the first one which succeeds wins.
# If all authentication domains fail then the request is unauthenticated.
# In this case an exception is thrown and/or the HTTP status is set to 401.
#
# After authentication authorization (authz) will be applied. There can be zero or more authorizers which collect
# the roles from a given backend for the authenticated user.
#
# Both, authc and auth can be enabled/disabled separately for REST and TRANSPORT layer. Default is true for both.
#        http_enabled: true
#        transport_enabled: true
#
# For HTTP it is possible to allow anonymous authentication. If that is the case then the HTTP authenticators try to
# find user credentials in the HTTP request. If credentials are found then the user gets regularly authenticated.
# If none can be found the user will be authenticated as an "anonymous" user. This user has always the username "anonymous"
# and one role named "anonymous_backendrole".
# If you enable anonymous authentication all HTTP authenticators will not challenge.
#
#
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
#
# Default value of the challenge flag is true.
#
#
# HTTP
#   basic (challenging)
#   proxy (not challenging, needs xff)
#   kerberos (challenging)
#   clientcert (not challenging, needs https)
#   jwt (not challenging)
#   host (not challenging) #DEPRECATED, will be removed in a future version.
#                          host based authentication is configurable in roles_mapping

# Authc
#   internal
#   noop
#   ldap

# Authz
#   ldap
#   noop



_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
    # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
    # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
    #filtered_alias_mode: warn
    #do_not_fail_on_forbidden: false
    #kibana:
    # Kibana multitenancy
    #multitenancy_enabled: true
    #server_username: kibanaserver
    #index: '.kibana'
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: true
        authentication_backend:
          type: intern
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
            - ****-****.****.com:3268
            - ****-****.****.com:3268
            bind_dn: 'CN=,OU=ApplicationIDs,DC=****,DC=com'
            password:
            userbase: 'OU=****,OU=Common,OU=Users,OU=****,DC=****,DC=com'
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: cn
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: true
        transport_enabled: true
        authorization_backend:
          # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: false
            hosts:
            - ****-****.****.com:3268
            - ****-****.****.com:3268
            bind_dn: 'CN=,OU=ApplicationIDs,DC=****,DC=com'
            password:
            userbase: 'OU=ApplicationIDs,DC=****,DC=com'
            rolebase: 'OU=Security Groups,DC=****,DC=com'
            # Filter to search for roles (currently in the whole subtree beneath rolebase)
            # {0} is substituted with the DN of the user
            # {1} is substituted with the username
            # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
            rolesearch: '(member={0})'
            # Specify the name of the attribute which value should be substituted with {2} above
            userroleattribute: null
            # Roles as an attribute of the user entry
            #userrolename: disabled
            userrolename: memberOf
            # The attribute in a role entry containing the name of that role, Default is "name".
            # Can also be "dn" to use the full DN as rolename.
            rolename: cn
            # Resolve nested roles transitive (roles which are members of other roles and so on ...)
            resolve_nested_roles: true
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(uid={0})'
            # Skip users matching a user name, a wildcard or a regex pattern
            #skip_users:
            #  - 'cn=Michael Jackson,ou*people,o=TEST'
            #  - '/\S*/'
     
          #config goes here ...
  #    auth_failure_listeners:
  #      ip_rate_limiting:
  #        type: ip
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000
  #      internal_authentication_backend_limiting:
  #        type: username
  #        authentication_backend: intern
  #        allowed_tries: 10
  #        time_window_seconds: 3600
  #        block_expiry_seconds: 600
  #        max_blocked_clients: 100000
  #        max_tracked_clients: 100000




The above is the config.yml file.

@rizwan_kn Can you DM all below files?

image

@pablo I am not able to send personal message to you.

@rizwan_kn Did you get this resolved?

Based on your initial message, it would seem that the admin user is not being mapped to all_access role, but only to own_index, which explains why there is no permission for creating index.

To verify this, can you run the below command and post the result here:

curl -XGET "https://localhost:9200/_plugins/_security/authinfo?pretty" -uadmin:admin -k

(assuming the default password wasn’t changed)

Hi @Anthony,
I ran the command and got the following results,

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "Unexpected exception indices:data/read/get"
      }
    ],
    "type" : "security_exception",
    "reason" : "Unexpected exception indices:data/read/get"
  },
  "status" : 500
}

@rizwan_kn I presumed you were running opensearch, if you are still on opendistro, try calling below endpoint with same parameters:
_opendistro/_security/authinfo?pretty

So complete command:
curl -XGET “https://localhost:9200/_opendistro/_security/authinfo?pretty” -uadmin:admin -k

@Anthony I got the following output,

{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "x.x.x.x:x",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index"
  ],
  "tenants" : {
    "admin" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

@rizwan_kn yes, this confirms the issue, the role is not being mapped to all_access.

Can you add below to roles_mapping.yml and submit the changes with securityadmin.sh script

all_access:
  reserved: false
  backend_roles:
  - "admin"
  description: "Maps admin to all_access"

Once thats done please re-run the authinfo command and post the output

Hi @Anthony I added the above role mapping and the following is the output,

{
  "user" : "User [name=admin, backend_roles=[admin], requestedTenant=null]",
  "user_name" : "admin",
  "user_requested_tenant" : null,
  "remote_address" : "x.x.x.x:x",
  "backend_roles" : [
    "admin"
  ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "all_access",
    "own_index"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "admin" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

I am able to view the security page now.

@rizwan_kn Is there any other issues?

Hi @Anthony,
Thank you, my permission issue is resolved now.

I had one more query, currently we are using the opendistroforelasticsearch-1.9.0. We need to upgrade it to opendistroforelasticsearch-1.13.3.

We currently follow the RPM package method mentioned in the following documentation,
RPM - Open Distro Documentation.

We also install opendistroforelasticsearch-kibana-1.9.0 from the same yum repository.

The issue is the opendistroforelasticsearch-1.13.3 is not available in the Yum repository. What would be the best way to upgrade to the latest opendistroforelasticsearch and opendistroforelasticsearch-kibana ?