Versions: AWS OpenSearch 2.7.0
We currently equipped our software to write different types of log data to OpenSearch. In our newest version, we are using data streams, since those fit our data and usage patterns best. However, since then we have not been able to actually write data to OpenSearch - our dataimport user gets “Unauthorized” error messages. It seems that we need to update our permissions for this dataimport role. However, I tried several combinations of permissions for data_streams on cluster or index level and nothing works.
I did stumble upon this issue: Permissions required for logstash when using data streams and thought this exactly reads like my problem, so I tried extending index permissions to the .d-* index pattern and even tried giving several permissions to the * index pattern, when the more specific pattern did not work. However, I have not been able to solve this issue.
Configuration:
Our role has the following permissions at the moment (including some ism permissions I omitted here for brevity):
{
"my_dataimport_user": {
"reserved": false,
"hidden": false,
"cluster_permissions": [
"cluster_monitor",
"cluster_composite_ops",
"indices:admin/template/get",
"indices:admin/template/put",
"cluster:admin/ingest/pipeline/put",
"cluster:admin/ingest/pipeline/get",
"indices:admin/data_stream/create",
"indices:admin/data_stream/delete",
"indices:monitor/data_stream/stats",
"indices:admin/data_stream/get",
"indices:admin/index_template/get",
"indices:admin/index_template/put"
],
"index_permissions": [
{
"index_patterns": [
"my_pattern_*"
],
"fls": [],
"masked_fields": [],
"allowed_actions": [
"crud",
"create_index",
"indices:data/write/bulk*",
"indices:data/write/delete",
"indices:data/write/update",
"indices:data/write/index",
"manage",
"indices:admin/index_template/get",
"indices:admin/data_stream/create",
"indices:admin/index_template/put",
"indices:admin/data_stream/get"
]
}
],
"tenant_permissions": [],
"static": false
}
}
As I said, I also tried the following index permissions for the .ds-* Index pattern:
indices:admin/mapping/put
indices:admin/index_template/get
indices:admin/index_template/put
indices:admin/data_stream/create
indices:admin/data_stream/get
and also tried these for the index pattern * instead to no avail.
At the same time, I tried to enable our logging service to write templates as well, which also not worked, this is why the template permissions are mixed up in these.
I would very much appreciate your help!