Permission to use PPL not visible?

dparker · June 12, 2023, 6:41pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser): 2.6.0

Describe the issue: I have a group of users that would like to use PPL both within dashboards and within grafana. They are getting

No permissions for [cluster:admin/opensearch/ppl]

When I attempt to add that permission to the role the users are under, dashboards acts as though it knows nothing about that permission. If I enter “cluster:admin/opensearch/” - the completion dropdown at that point does not show ppl anywhere, and if I type it in dashboard refuses to accept the input.

Is something mis-documented here?

Thanks

Gsmitt · June 13, 2023, 3:49am

Hey @dparker

You referring to this permissions?

dparker · June 13, 2023, 3:54pm

Yes - I don’t seem to have that:

Gsmitt · June 13, 2023, 11:42pm

Hey @dparker

Thats strange, I assume your using a admin user with full access? Did you check the Opensearch logs.

EDIT: Check plugins?

GET _cat/plugins

Should see something like this…

opensearch-alerting                  2.8.0.0
opensearch-anomaly-detection         2.8.0.0
opensearch-asynchronous-search       2.8.0.0
opensearch-cross-cluster-replication 2.8.0.0
opensearch-geospatial                2.8.0.0
opensearch-index-management          2.8.0.0
opensearch-job-scheduler             2.8.0.0
opensearch-knn                       2.8.0.0
opensearch-ml                        2.8.0.0
opensearch-neural-search             2.8.0.0
opensearch-notifications             2.8.0.0
opensearch-notifications-core        2.8.0.0
opensearch-observability             2.8.0.0
opensearch-performance-analyzer      2.8.0.0
opensearch-reports-scheduler         2.8.0.0
opensearch-security                  2.8.0.0
opensearch-security-analytics        2.8.0.0
opensearch-sql                       2.8.0.0

dparker · June 14, 2023, 4:52pm

Here’s what I’ve got (there are more nodes but they’re all the same):

Looks like I’m using an older version than you - am I out of date?

Gsmitt · June 15, 2023, 3:19am

Hey @dparker

Ive been looking at these doc’s

Version 1.3

Version 2.6

Version 2.8

I have no idea where that permission came from. Because its not even showing in the doc’s.

cluster:admin/opensearch/ppl

I would assume it came from security Plugin .

Question: Do you have HTTPS enable? if so did you execute ./securityadmin.sh ?

This is odd and I’m not sure what I did to have that Reserved Permission. Maybe someone else has a better idea what sgoing on, or you could upgrade to version 2.7.0 and/or 2.8.0 see if that helps. Im almost 100% that permission was created during my installment .

Gsmitt · June 15, 2023, 4:06am

@dparker

I did some more research

# Allows users to all PPL functionality
ppl_full_access:
  reserved: true
  cluster_permissions:
    - 'cluster:admin/opensearch/ppl'
  index_permissions:
    - index_patterns:
        - '*'
      allowed_actions:
        - 'indices:admin/mappings/get'
        - 'indices:data/read/search*'
        - 'indices:monitor/settings/get'

Found here

/etc/opensearch/opensearch-security/roles.yml

dparker · June 15, 2023, 1:36pm

@Gsmitt that’s very interesting - I see no such thing in mine. Thing is - as admin I can use PPL to my heart’s content. So the functionality is definitely there. Do you think it might “just work” if I add that section to the file and (sigh) restart ?

Gsmitt · June 15, 2023, 8:49pm

Hey @dparker

If it was my server, I would grab this file here As you can see what I post is in there. Not sure how your server was set up and configured but you may have had an old role.yml file.

I think you may need to execute the sercurity script also if you do.

hope that helps