Permission on Indices

BlackMetalz · February 27, 2021, 4:22pm

Hi i have set permission on following ( Opendistro: 1.9 )

PUT _opendistro/_security/api/roles/user_demon
{
  "cluster_permissions": [
    "cluster_composite_ops",
    "cluster:monitor/main",
    "cluster:monitor/health",
    "cluster:monitor/state",
    "indices:data/read/scroll*",
    "indices:admin/create"
  ],
  "index_permissions": [{
    "index_patterns": [
      "user-test-logs*"
    ],
    "dls": "",
    "fls": [],
    "masked_fields": [],
    "allowed_actions": [
      "indices_all",
      "indices:data/read/search",
      "indices:monitor/settings/get",
      "indices:monitor/stats",
      "indices:admin/template/get",
      "indices:admin/create",
      "indices:data/read/search"
    ]
  }]
}

[2021-02-27T23:20:38,546][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No permissions for [indices:admin/create]
[2021-02-27T23:20:38,582][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[], allIndices=[user-test-logs-2021.02], types=[*], originalRequested=[user-test-logs-2021.02], remoteIndices=[]] [Action [indices:admin/create]] [RolesChecked [speech_processing, user_demon, monitor_user, own_index]]
[2021-02-27T23:20:38,582][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe-1.9_1] No permissions for [indices:admin/create]
[WARN ][c.a.o.s.c.PrivilegesInterceptorImpl] [odfe-1.9_1] Tenant global_tenant is not allowed for user user_demon

I wonder which step I’m missing for the permission.

Best Regards

clsa · March 1, 2021, 8:14am

Hi @BlackMetalz,

the role configuration seems ok to me. Have you mapped the user to the role?

Regards,
Clifford

BlackMetalz · March 1, 2021, 8:29am

Yes, I did. Also I’m able to search in the index, but annoying is INFO log told me above

BlackMetalz · March 1, 2021, 8:30am

I’m query via Kibana
And this error also appear on user login in kibana

[WARN ][c.a.o.s.c.PrivilegesInterceptorImpl] [odfe-1.9_1] Tenant global_tenant is not allowed for user user_demon

BlackMetalz · March 1, 2021, 8:36am

if I update the index patterns to “*”. No Error/Warn appear, but it’s not what I want xD

BlackMetalz · March 1, 2021, 9:05am

Hmm, Seem like this is general / known issue:
https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529

Anthony · March 1, 2021, 1:42pm

@BlackMetalz can you explain what actions are taken prior to when the message is displayed. I just used your roles.yml and didnt see the messages (indices:admin/create) when the user was querying /_search api through dev tools - or is it during index creation? Regarding the tenant, have you enabled multi-tenacy? maybe share the kibana.yml file? I only managed to see the tenant message if the multitenacy was not enabled from kibana side.

BlackMetalz · March 1, 2021, 2:00pm

@Anthony: I query like this via Kibana:

GET asr-data-tagging/_search
{
  "sort": [
    {
      "timeTagging": {
        "order": "desc"
      }
    }
  ], 
  "query": {
    "match_phrase_prefix": {
      "userTagging": "username"
    }
  }
}

Here is my kibana config

server.host: 0.0.0.0
elasticsearch.hosts:
- http://IP_HOST:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: admin
elasticsearch.password: pass
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

opendistro_security.multitenancy.enabled: false
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false

After query the log raised something like this:

[2021-03-01T16:09:27,130][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[], allIndices=[asr-data-tagging], types=[*], originalRequested=[asr-data-tagging], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:09:27,130][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:data/read/search]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/mappings/get]
[2021-03-01T16:10:04,343][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/aliases/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,345][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/aliases/get]

My version is oss 7.8.0
And yes i have user mapped as well

Anthony · March 1, 2021, 3:03pm

@BlackMetalz So you get 3 errors in total.
The 2nd and 3rd make sense as those permissions were not given based on the role you provided.
The 1st however is strange, and not appearing in my local testing.
Are you able to run securityadmin.sh tool with --retrieve option and examine the extracted roles.yml file, to see if the role is indeed set up as expected in the security index? the command is below:

./securityadmin.sh -cd .../securityconfig/ -icl -nhnv -cacert .../root-ca.pem -cert .../kirk.pem -key .../kirk-key.pem -r

BlackMetalz · March 1, 2021, 3:07pm

I used to Set permission via API / Kibana.
Well, that is log info appears but the user still able to get the output via kibana thought.
after I set Permission via API / Kibana. I export security config and look at roles.yml file in securityconfig folder and see permission still look good.
Ignore the first error, it was useless log since I’m testing permission at that time xD

Here are real errors.

[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,338][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/mappings/get]
[2021-03-01T16:10:04,343][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No index-level perm match for User [name=user_demon, backend_roles=[user_demon], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/aliases/get]] [RolesChecked [user_demon, app_news_notify, monitor_user, own_index]]
[2021-03-01T16:10:04,345][INFO ][c.a.o.s.p.PrivilegesEvaluator] [adt-sys-es-appnotify-master-36-139] No permissions for [indices:admin/aliases/get]

Anthony · March 1, 2021, 3:11pm

@BlackMetalz These errors make sense, as these permissions were not given, and there is a lot more happening under the hood, where permissions are being evaluated for mappings and aliases. I am not aware of a way to switch these off apart from actually giving the user those permission via role settings.

BlackMetalz · March 1, 2021, 3:15pm

I used to give them under both cluster permission / index level permission like
“indices_all” - Action Group
“indices:*” - --…–
Or what exactly it said missing. It really made me confuse why it isn’t working if user query via kibana

Anthony · March 1, 2021, 3:30pm

@BlackMetalz from what I understand the errors refers to the rest of the aliases and indices Resolved [aliases=[*], allIndices=[*], types=[*]
Not the index you provided as you’ve seen in the original error: Resolved [aliases=[], allIndices=[asr-data-tagging], types=[*]

BlackMetalz · March 1, 2021, 3:36pm

Yes. As it already mentions here: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529

@oscarkraemer I understand allowing all users to see all indices might be too much, but that is how Kibana is implemented. Technically, this is a Kibana index pattern implementation issue, not a security plugin issue.

Anthony · March 1, 2021, 3:42pm

@BlackMetalz does this address your question then?

BlackMetalz · March 1, 2021, 3:47pm

Yeah, problem via kibana only. Somehow it calls another index as well. If I put “*” in index patterns. no error appears while querying via kibana

ThibaudF · April 1, 2021, 3:09pm

Hello, I just faced a similar issue after upgrading the cluster to ODFE 1.13.
Now users can’t create index.

If I give them rights on indices:admin/resolve/index for index-pattern: “*”, they will see all the indices when creating.
This is really a security issue, it’s really problematic and some useless noise for some users.
Can this be enhanced ? Find a workaround ?

Thanks !!!
Thi

Topic		Replies	Views
Security Issue: No permissions for [indices:admin/resolve/index] Security	10	12475	April 16, 2021
Security_exception] no permissions for [indices:data/read/search Security	1	2260	February 22, 2021
No permissions for [indices:admin/get] Security	1	2475	April 12, 2021
Permissions weird Security	10	767	October 9, 2023
Index Level Permission of security plugin is not working with list of indices in role Security troubleshoot	12	1100	February 18, 2024

Permission on Indices

Related topics