Problem with index permissions

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch version 2.13.0

Describe the issue:
First, I’m new to OpenSearch, so apologies in advance if I missed something obvious. Also, I should probably say that I’m using OpenSearch because it comes as the backend for the perfSonar network monitoring software. At any rate, no data is being displayed on Grafana, which instead says that there’s an unexpected Opensearch error. The error I see in the log file is in the logs section below: if I’m understanding correctly, it’s saying that the pscheduler_logstash user doesn’t have permission to create an index called prometheus_node. But as far as I can tell, the pscheduler_logstash role, to which the pscheduler_logstash user is mapped – the error explicitly says that it checks this role – should be configured to have index creation permissions for anything starting with prometheus_ (the relevant parts of roles.yml and roles_mapping.yml are below). In particular, according to the documentation, create_index contains the indices:admin/create action that it says it can’t do. Additionally, everything was working fine until I had to restart the server where this was running a few days ago. Any suggestion on how to deal with this problem would be much appreciated.

Configuration:
In roles_mapping.yml, the pscheduler_logstash user is mapped to the pscheduler_logstash role:

pscheduler_logstash:
  reserved: true
  users:
  - "pscheduler_logstash"

And the role is defined as follows in roles.yml:

pscheduler_logstash:
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster_manage_index_templates'
  index_permissions:
    - index_patterns:
      - 'pscheduler_*'
      - 'prometheus_*'
      allowed_actions:
      - 'write'
      - 'read'
      - 'delete'
      - 'create_index'
      - 'manage'
      - 'indices:admin/template/delete'
      - 'indices:admin/template/get'
      - 'indices:admin/template/put'

Relevant Logs or Screenshots:
[2024-07-17T18:47:22,709][INFO ][o.o.s.p.PrivilegesEvaluator] [net2ps2] No index-level perm match for User [name=pscheduler_logstash, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[prometheus_node], types=[*], originalRequested=[prometheus_node], remoteIndices=[]] [Action [indices:admin/create]] [RolesChecked [own_index, pscheduler_logstash]]

2

Hi @wleight,

first of all welcome,

Would you mind sharing the outputs of:

GET _plugins/_security/api/roles

GET _plugins/_security/api/rolesmapping

GET _plugins/_security/api/securityconfig

thanks,
mj

3

Hi MJ, thanks for the welcome! The outputs are below. I noticed, looking at the output of the roles call, that for the pscheduler_logstash user, only the pscheduler_* index pattern is listed under its index permissions, which is presumably why I see this error. But the prometheus_* index pattern is listed in roles.yml, so I’m still confused. Is there some other place where the roles are defined where this could be overwritten?

best,

will

_plugins/_security/api/roles:

{"security_analytics_ack_alerts":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/securityanalytics/alerts/*"],"index_permissions":[],"tenant_permissions":[],"static":false},"observability_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/observability/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"kibana_user":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for a kibana user","cluster_permissions":["cluster_composite_ops"],"index_permissions":[{"index_patterns":[".kibana",".kibana-6",".kibana_*",".opensearch_dashboards",".opensearch_dashboards-6",".opensearch_dashboards_*"],"fls":[],"masked_fields":[],"allowed_actions":["read","delete","manage","index"]},{"index_patterns":[".tasks",".management-beats","*:.tasks","*:.management-beats"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]}],"tenant_permissions":[],"static":true},"own_index":{"reserved":true,"hidden":false,"description":"Allow all for indices named like the current user","cluster_permissions":["cluster_composite_ops"],"index_permissions":[{"index_patterns":["${user_name}"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]}],"tenant_permissions":[],"static":true},"pscheduler_writer":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[{"index_patterns":["pscheduler*"],"fls":[],"masked_fields":[],"allowed_actions":["write"]}],"tenant_permissions":[],"static":false},"opendistro_security_anonymous":{"reserved":true,"hidden":false,"cluster_permissions":["cluster_monitor"],"index_permissions":[],"tenant_permissions":[],"static":false},"alerting_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster_monitor","cluster:admin/opendistro/alerting/*","cluster:admin/opensearch/alerting/*","cluster:admin/opensearch/notifications/feature/publish"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices_monitor","indices:admin/aliases/get","indices:admin/mappings/get"]}],"tenant_permissions":[],"static":false},"snapshot_management_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/snapshot_management/policy/get","cluster:admin/opensearch/snapshot_management/policy/search","cluster:admin/opensearch/snapshot_management/policy/explain","cluster:admin/repository/get","cluster:admin/snapshot/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"all_access":{"reserved":true,"hidden":false,"description":"Allow full access to all indices and all cluster APIs","cluster_permissions":["*"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["*"]}],"tenant_permissions":[{"tenant_patterns":["*"],"allowed_actions":["kibana_all_write"]}],"static":true},"alerting_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/alerting/alerts/get","cluster:admin/opendistro/alerting/destination/get","cluster:admin/opendistro/alerting/monitor/get","cluster:admin/opendistro/alerting/monitor/search","cluster:admin/opensearch/alerting/findings/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"cross_cluster_replication_follower_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/plugins/replication/autofollow/update"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:admin/plugins/replication/index/setup/validate","indices:data/write/plugins/replication/changes","indices:admin/plugins/replication/index/start","indices:admin/plugins/replication/index/pause","indices:admin/plugins/replication/index/resume","indices:admin/plugins/replication/index/stop","indices:admin/plugins/replication/index/update","indices:admin/plugins/replication/index/status_check"]}],"tenant_permissions":[],"static":false},"manage_snapshots":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for managing snapshots","cluster_permissions":["manage_snapshots"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:data/write/index","indices:admin/create"]}],"tenant_permissions":[],"static":true},"logstash":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for logstash and beats","cluster_permissions":["cluster_monitor","cluster_composite_ops","indices:admin/template/get","indices:admin/template/put","cluster:admin/ingest/pipeline/put","cluster:admin/ingest/pipeline/get"],"index_permissions":[{"index_patterns":["logstash-*"],"fls":[],"masked_fields":[],"allowed_actions":["crud","create_index"]},{"index_patterns":["*beat*"],"fls":[],"masked_fields":[],"allowed_actions":["crud","create_index"]}],"tenant_permissions":[],"static":true},"observability_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/observability/create","cluster:admin/opensearch/observability/update","cluster:admin/opensearch/observability/delete","cluster:admin/opensearch/observability/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"point_in_time_full_access":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["manage_point_in_time"]}],"tenant_permissions":[],"static":false},"notifications_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/notifications/*"],"index_permissions":[],"tenant_permissions":[],"static":false},"notifications_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/notifications/configs/get","cluster:admin/opensearch/notifications/features","cluster:admin/opensearch/notifications/channels/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"cross_cluster_replication_leader_full_access":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:admin/plugins/replication/index/setup/validate","indices:data/read/plugins/replication/changes","indices:data/read/plugins/replication/file_chunk"]}],"tenant_permissions":[],"static":false},"security_analytics_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/securityanalytics/alerts/get","cluster:admin/opensearch/securityanalytics/detector/get","cluster:admin/opensearch/securityanalytics/detector/search","cluster:admin/opensearch/securityanalytics/findings/get","cluster:admin/opensearch/securityanalytics/mapping/get","cluster:admin/opensearch/securityanalytics/mapping/view/get","cluster:admin/opensearch/securityanalytics/rule/get","cluster:admin/opensearch/securityanalytics/rule/search"],"index_permissions":[],"tenant_permissions":[],"static":false},"security_analytics_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/securityanalytics/alerts/*","cluster:admin/opensearch/securityanalytics/detector/*","cluster:admin/opensearch/securityanalytics/findings/*","cluster:admin/opensearch/securityanalytics/mapping/*","cluster:admin/opensearch/securityanalytics/rule/*"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:admin/mapping/put","indices:admin/mappings/get"]}],"tenant_permissions":[],"static":false},"asynchronous_search_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/asynchronous_search/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"index_management_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/ism/*","cluster:admin/opendistro/rollup/*","cluster:admin/opendistro/transform/*","cluster:admin/opensearch/notifications/feature/publish"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:admin/opensearch/ism/*"]}],"tenant_permissions":[],"static":false},"readall_and_monitor":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for to readall indices and monitor the cluster","cluster_permissions":["cluster_monitor","cluster_composite_ops_ro"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["read"]}],"tenant_permissions":[],"static":true},"ml_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/ml/stats/nodes","cluster:admin/opensearch/ml/models/get","cluster:admin/opensearch/ml/models/search","cluster:admin/opensearch/ml/tasks/get","cluster:admin/opensearch/ml/tasks/search"],"index_permissions":[],"tenant_permissions":[],"static":false},"kibana_read_only":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[],"tenant_permissions":[],"static":false},"pscheduler_logstash":{"reserved":false,"hidden":false,"cluster_permissions":["cluster_monitor","cluster_manage_index_templates"],"index_permissions":[{"index_patterns":["pscheduler_*"],"fls":[],"masked_fields":[],"allowed_actions":["write","read","delete","create_index","manage","indices:admin/template/delete","indices:admin/template/get","indices:admin/template/put"]}],"tenant_permissions":[],"static":false},"pscheduler_reader":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[{"index_patterns":["pscheduler*"],"fls":[],"masked_fields":[],"allowed_actions":["read","indices:admin/mappings/get"]}],"tenant_permissions":[],"static":false},"reports_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/reports/definition/get","cluster:admin/opendistro/reports/definition/list","cluster:admin/opendistro/reports/instance/list","cluster:admin/opendistro/reports/instance/get","cluster:admin/opendistro/reports/menu/download"],"index_permissions":[],"tenant_permissions":[],"static":false},"anomaly_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/ad/detector/info","cluster:admin/opendistro/ad/detector/search","cluster:admin/opendistro/ad/detectors/get","cluster:admin/opendistro/ad/result/search","cluster:admin/opendistro/ad/tasks/search","cluster:admin/opendistro/ad/detector/validate","cluster:admin/opendistro/ad/result/topAnomalies"],"index_permissions":[],"tenant_permissions":[],"static":false},"anomaly_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster_monitor","cluster:admin/opendistro/ad/*"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices_monitor","indices:admin/aliases/get","indices:admin/mappings/get"]}],"tenant_permissions":[],"static":false},"reports_instances_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/reports/instance/list","cluster:admin/opendistro/reports/instance/get","cluster:admin/opendistro/reports/menu/download"],"index_permissions":[],"tenant_permissions":[],"static":false},"snapshot_management_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opensearch/snapshot_management/*","cluster:admin/opensearch/notifications/feature/publish","cluster:admin/repository/*","cluster:admin/snapshot/*"],"index_permissions":[],"tenant_permissions":[],"static":false},"readall":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for to readall indices","cluster_permissions":["cluster_composite_ops_ro"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["read"]}],"tenant_permissions":[],"static":true},"asynchronous_search_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/asynchronous_search/*"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:data/read/search*"]}],"tenant_permissions":[],"static":false},"ml_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster_monitor","cluster:admin/opensearch/ml/*"],"index_permissions":[{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices_monitor"]}],"tenant_permissions":[],"static":false},"reports_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/reports/definition/create","cluster:admin/opendistro/reports/definition/update","cluster:admin/opendistro/reports/definition/on_demand","cluster:admin/opendistro/reports/definition/delete","cluster:admin/opendistro/reports/definition/get","cluster:admin/opendistro/reports/definition/list","cluster:admin/opendistro/reports/instance/list","cluster:admin/opendistro/reports/instance/get","cluster:admin/opendistro/reports/menu/download"],"index_permissions":[],"tenant_permissions":[],"static":false},"security_rest_api_access":{"reserved":true,"hidden":false,"cluster_permissions":[],"index_permissions":[],"tenant_permissions":[],"static":false},"alerting_ack_alerts":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/alerting/alerts/*"],"index_permissions":[],"tenant_permissions":[],"static":false},"kibana_server":{"reserved":true,"hidden":false,"description":"Provide the minimum permissions for the Kibana server","cluster_permissions":["cluster_monitor","cluster_composite_ops","manage_point_in_time","indices:admin/template*","indices:admin/index_template*","indices:data/read/scroll*"],"index_permissions":[{"index_patterns":[".kibana",".opensearch_dashboards"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]},{"index_patterns":[".kibana-6",".opensearch_dashboards-6"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]},{"index_patterns":[".kibana_*",".opensearch_dashboards_*"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]},{"index_patterns":[".tasks"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]},{"index_patterns":[".management-beats*"],"fls":[],"masked_fields":[],"allowed_actions":["indices_all"]},{"index_patterns":["*"],"fls":[],"masked_fields":[],"allowed_actions":["indices:admin/aliases*"]}],"tenant_permissions":[],"static":true},"notebooks_read_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/notebooks/list","cluster:admin/opendistro/notebooks/get"],"index_permissions":[],"tenant_permissions":[],"static":false},"notebooks_full_access":{"reserved":true,"hidden":false,"cluster_permissions":["cluster:admin/opendistro/notebooks/create","cluster:admin/opendistro/notebooks/update","cluster:admin/opendistro/notebooks/delete","cluster:admin/opendistro/notebooks/get","cluster:admin/opendistro/notebooks/list"],"index_permissions":[],"tenant_permissions":[],"static":false}

_plugins/_security/api/rolesmapping:

{"manage_snapshots":{"hosts":[],"users":[],"reserved":false,"hidden":false,"backend_roles":["snapshotrestore"],"and_backend_roles":[]},"logstash":{"hosts":[],"users":[],"reserved":false,"hidden":false,"backend_roles":["logstash"],"and_backend_roles":[]},"own_index":{"hosts":[],"users":["*"],"reserved":false,"hidden":false,"backend_roles":[],"and_backend_roles":[],"description":"Allow full access to an index named like the username"},"kibana_user":{"hosts":[],"users":[],"reserved":false,"hidden":false,"backend_roles":["kibanauser"],"and_backend_roles":[],"description":"Maps kibanauser to kibana_user"},"pscheduler_writer":{"hosts":[],"users":["pscheduler_writer"],"reserved":true,"hidden":false,"backend_roles":[],"and_backend_roles":[]},"opendistro_security_anonymous":{"hosts":[],"users":[],"reserved":true,"hidden":false,"backend_roles":["opendistro_security_anonymous_backendrole"],"and_backend_roles":[]},"pscheduler_logstash":{"hosts":[],"users":["pscheduler_logstash"],"reserved":true,"hidden":false,"backend_roles":[],"and_backend_roles":[]},"pscheduler_reader":{"hosts":[],"users":["pscheduler_reader"],"reserved":true,"hidden":false,"backend_roles":["opendistro_security_anonymous_backendrole"],"and_backend_roles":[]},"all_access":{"hosts":[],"users":[],"reserved":false,"hidden":false,"backend_roles":["admin"],"and_backend_roles":[],"description":"Maps admin to all_access"},"readall":{"hosts":[],"users":[],"reserved":false,"hidden":false,"backend_roles":["readall"],"and_backend_roles":[]},"kibana_server":{"hosts":[],"users":["kibanaserver"],"reserved":true,"hidden":false,"backend_roles":[],"and_backend_roles":[]}}

_plugins/_security/api/securityconfig:

{"config":{"dynamic":{"filtered_alias_mode":"warn","disable_rest_auth":false,"disable_intertransport_auth":false,"respect_request_indices_options":false,"kibana":{"multitenancy_enabled":true,"private_tenant_enabled":true,"default_tenant":"","server_username":"kibanaserver","index":".kibana"},"http":{"anonymous_auth_enabled":true,"xff":{"enabled":false,"internalProxies":"192\\.168\\.0\\.10|192\\.168\\.0\\.11","remoteIpHeader":"X-Forwarded-For"}},"authc":{"jwt_auth_domain":{"http_enabled":false,"order":0,"http_authenticator":{"challenge":false,"type":"jwt","config":{"signing_key":"base64 encoded HMAC key or public RSA/ECDSA pem key","jwt_header":"Authorization"}},"authentication_backend":{"type":"noop","config":{}},"description":"Authenticate via Json Web Token"},"ldap":{"http_enabled":false,"order":5,"http_authenticator":{"challenge":false,"type":"basic","config":{}},"authentication_backend":{"type":"ldap","config":{"enable_ssl":false,"enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["localhost:8389"],"userbase":"ou=people,dc=example,dc=com","usersearch":"(sAMAccountName={0})"}},"description":"Authenticate via LDAP or Active Directory"},"basic_internal_auth_domain":{"http_enabled":true,"order":4,"http_authenticator":{"challenge":true,"type":"basic","config":{}},"authentication_backend":{"type":"intern","config":{}},"description":"Authenticate via HTTP Basic against internal users database"},"proxy_auth_domain":{"http_enabled":false,"order":3,"http_authenticator":{"challenge":false,"type":"proxy","config":{"user_header":"x-proxy-user","roles_header":"x-proxy-roles"}},"authentication_backend":{"type":"noop","config":{}},"description":"Authenticate via proxy"},"clientcert_auth_domain":{"http_enabled":false,"order":2,"http_authenticator":{"challenge":false,"type":"clientcert","config":{"username_attribute":"cn"}},"authentication_backend":{"type":"noop","config":{}},"description":"Authenticate via SSL client certificates"},"kerberos_auth_domain":{"http_enabled":false,"order":6,"http_authenticator":{"challenge":true,"type":"kerberos","config":{"krb_debug":false,"strip_realm_from_principal":true}},"authentication_backend":{"type":"noop","config":{}}}},"authz":{"roles_from_another_ldap":{"http_enabled":false,"authorization_backend":{"type":"ldap","config":{}},"description":"Authorize via another Active Directory"},"roles_from_myldap":{"http_enabled":false,"authorization_backend":{"type":"ldap","config":{"enable_ssl":false,"enable_start_tls":false,"enable_ssl_client_auth":false,"verify_hostnames":true,"hosts":["localhost:8389"],"rolebase":"ou=groups,dc=example,dc=com","rolesearch":"(member={0})","userrolename":"disabled","rolename":"cn","resolve_nested_roles":true,"userbase":"ou=people,dc=example,dc=com","usersearch":"(uid={0})"}},"description":"Authorize via LDAP or Active Directory"}},"auth_failure_listeners":{},"do_not_fail_on_forbidden":false,"multi_rolespan_enabled":true,"hosts_resolver_mode":"ip-only","do_not_fail_on_forbidden_empty":false,"on_behalf_of":{"enabled":false}}}}

4

Hi @wleight,

I can see you have pscheduler_logstash and the user pscheduler_logstash mapped to that role (the role should show up as the backend_roles=):

	"pscheduler_logstash": {
		"reserved": false,
		"hidden": false,
		"cluster_permissions": [
			"cluster_monitor",
			"cluster_manage_index_templates"
		],
		"index_permissions": [
			{
				"index_patterns": [
					"pscheduler_*"
				],
				"fls": [],
				"masked_fields": [],
				"allowed_actions": [
					"write",
					"read",
					"delete",
					"create_index",
					"manage",
					"indices:admin/template/delete",
					"indices:admin/template/get",
					"indices:admin/template/put"
				]
			}
		],
		"tenant_permissions": [],
		"static": false
	}

role mapping:

	"pscheduler_logstash": {
		"hosts": [],
		"users": [
			"pscheduler_logstash"
		],
		"reserved": true,
		"hidden": false,
		"backend_roles": [],
		"and_backend_roles": []
	}

Could you please share the output of:

GET _plugins/_security/api/internalusers/pscheduler_logstash?pretty

thanks,
mj

5

Hi MJ,
Sure, see below.

thanks,

will


{
  "pscheduler_logstash" : {
    "hash" : "",
    "reserved" : true,
    "hidden" : false,
    "backend_roles" : [ ],
    "attributes" : { },
    "description" : "pscheduler logstash user",
    "opendistro_security_roles" : [ ],
    "static" : false
  }
}
6

@wleight,

All looks in order, could you check with the below if the backend_roles are mapped as expected (please share the output):

curl --insecure -u pscheduler_logstash:<password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

best,
mj

7

Hi MJ,

Sure, here is the output:

{
  "user" : "User [name=pscheduler_logstash, backend_roles=[], requestedTenant=null]",
  "user_name" : "pscheduler_logstash",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1:53464",
  "backend_roles" : [ ],
  "custom_attribute_names" : [ ],
  "roles" : [
    "own_index",
    "pscheduler_logstash"
  ],
  "tenants" : {
    "pscheduler_logstash" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

thanks,

will

8

@wleight , Ok, so the role is mapped, can you add indices:admin/create to your role as per:

pscheduler_logstash:
  cluster_permissions:
    - 'cluster_monitor'
    - 'cluster_manage_index_templates'
  index_permissions:
    - index_patterns:
      - 'pscheduler_*'
      - 'prometheus_*'
      allowed_actions:
      - 'indices:admin/create'
      - 'write'
      - 'read'
      - 'delete'
      - 'create_index'
      - 'manage'
      - 'indices:admin/template/delete'
      - 'indices:admin/template/get'
      - 'indices:admin/template/put'

best,
mj

9

Hi MJ, I did this and then restarted Opensearch, but the error remains the same. My understanding, based on the documentation, was that create_index included the indices:admin/create permissions already.

Also, I noticed in the output of the API roles call that the pscheduler_logstash role doesn’t have permissions for all the indices I expected:

"pscheduler_logstash":{"reserved":false,"hidden":false,"cluster_permissions":["cluster_monitor","cluster_manage_index_templates"],"index_permissions":[{"index_patterns":["pscheduler_*"],"fls":[],"masked_fields":[],"allowed_actions":["write","read","delete","create_index","manage","indices:admin/template/delete","indices:admin/template/get","indices:admin/template/put"]}],"tenant_permissions":[],"static":false}

For some reason, only pscheduler_* is listed here, prometheus_* is missing. And sure enough, the error complains about a lack of permissions for the prometheus_node index. But I don’t understand why prometheus_* doesn’t appear here.

thanks,

will

10

@wleight, good call - could you add it and run securityadmin.sh to apply the changes see more here: Applying changes to configuration files - OpenSearch Documentation

best,
mj

11

Hi @Mantas ,
Yes, that seems to have done it, thanks a lot!

will

1 Like