Permission on Indices

Hi i have set permission on following ( Opendistro: 1.9 )

PUT _opendistro/_security/api/roles/user_demon
{
  "cluster_permissions": [
    "cluster_composite_ops",
    "cluster:monitor/main",
    "cluster:monitor/health",
    "cluster:monitor/state",
    "indices:data/read/scroll*",
    "indices:admin/create"
  ],
  "index_permissions": [{
    "index_patterns": [
      "user-test-logs*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "indices_all",
      "indices:data/read/search",
      "indices:monitor/settings/get",
      "indices:monitor/stats",
      "indices:admin/template/get",
      "indices:admin/create",
      "indices:data/read/search"
    ]
  }]
}
[2021-02-27T23:20:38,546][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No permissions for [indices:admin/create]
[2021-02-27T23:20:38,582][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[], allIndices=[user-test-logs-2021.02], types=[*], originalRequested=[user-test-logs-2021.02], remoteIndices=[]] [Action [indices:admin/create]] [RolesChecked [speech_processing, user_demon, monitor_user, own_index]]
[2021-02-27T23:20:38,582][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No permissions for [indices:admin/create]
[WARN ][c.a.o.s.c.PrivilegesInterceptorImpl] [odfe-1.9_1] Tenant global_tenant is not allowed for user user_demon

I wonder which step I’m missing for the permission.

Best Regards

Hi @BlackMetalz,

the role configuration seems ok to me. Have you mapped the user to the role?

Regards,
Clifford

Yes, I did. Also I’m able to search in the index, but annoying is INFO log told me above

I’m query via Kibana
And this error also appear on user login in kibana

[WARN ][c.a.o.s.c.PrivilegesInterceptorImpl] [odfe-1.9_1] Tenant global_tenant is not allowed for user user_demon

if I update the index patterns to “*”. No Error/Warn appear, but it’s not what I want xD

Hmm, Seem like this is general / known issue:
https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529

@BlackMetalz can you explain what actions are taken prior to when the message is displayed. I just used your roles.yml and didnt see the messages (indices:admin/create) when the user was querying /_search api through dev tools - or is it during index creation? Regarding the tenant, have you enabled multi-tenacy? maybe share the kibana.yml file? I only managed to see the tenant message if the multitenacy was not enabled from kibana side.

@Anthony: I query like this via Kibana:

GET asr-data-tagging/_search
{
  "sort": [
    {
      "timeTagging": {
        "order": "desc"
      }
    }
  ], 
  "query": {
    "match_phrase_prefix": {
      "userTagging": "username"
    }
  }
}

Here is my kibana config :smiley:

server.host: 0.0.0.0
elasticsearch.hosts:
- http://IP_HOST:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: admin
elasticsearch.password: pass
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false

After query the log raised something like this:

[2021-03-01T16:09:27,130][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[], allIndices=[asr-data-tagging], types=[*], originalRequested=[asr-data-tagging], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:09:27,130][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:data/read/search]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/mappings/get]
[2021-03-01T16:10:04,343][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/aliases/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,345][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/aliases/get]

My version is oss 7.8.0
And yes i have user mapped as well :smiley:

@BlackMetalz So you get 3 errors in total.
The 2nd and 3rd make sense as those permissions were not given based on the role you provided.
The 1st however is strange, and not appearing in my local testing.
Are you able to run securityadmin.sh tool with --retrieve option and examine the extracted roles.yml file, to see if the role is indeed set up as expected in the security index? the command is below:

./securityadmin.sh -cd .../securityconfig/ -icl -nhnv -cacert .../root-ca.pem -cert .../kirk.pem -key .../kirk-key.pem -r

I used to Set permission via API / Kibana.
Well, that is log info appears but the user still able to get the output via kibana thought.
after I set Permission via API / Kibana. I export security config and look at roles.yml file in securityconfig folder and see permission still look good.
Ignore the first error, it was useless log since I’m testing permission at that time xD

Here are real errors.

[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/mappings/get]
[2021-03-01T16:10:04,343][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/aliases/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,345][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/aliases/get]

@BlackMetalz These errors make sense, as these permissions were not given, and there is a lot more happening under the hood, where permissions are being evaluated for mappings and aliases. I am not aware of a way to switch these off apart from actually giving the user those permission via role settings.

I used to give them under both cluster permission / index level permission like
“indices_all” - Action Group
“indices:*” - --…–
Or what exactly it said missing. It really made me confuse why it isn’t working if user query via kibana :upside_down_face: :upside_down_face: :upside_down_face:

@BlackMetalz from what I understand the errors refers to the rest of the aliases and indices Resolved [aliases=[*], allIndices=[*], types=[*]
Not the index you provided as you’ve seen in the original error: Resolved [aliases=[], allIndices=[asr-data-tagging], types=[*]

Yes. As it already mentions here: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529

@oscarkraemer I understand allowing all users to see all indices might be too much, but that is how Kibana is implemented. Technically, this is a Kibana index pattern implementation issue, not a security plugin issue.

@BlackMetalz does this address your question then?

Yeah, problem via kibana only. Somehow it calls another index as well. If I put “*” in index patterns. no error appears while querying via kibana

Hello, I just faced a similar issue after upgrading the cluster to ODFE 1.13.
Now users can’t create index.

If I give them rights on indices:admin/resolve/index for index-pattern: “*”, they will see all the indices when creating.
This is really a security issue, it’s really problematic and some useless noise for some users.
Can this be enhanced ? Find a workaround ?

Thanks !!!
Thi