Hello,
after upgrading our Cluster to version 1.6.0 we noticed many security reports in our logs.
They are all caused by one User which is creating search request over 700 indices.
I am not sure if there is any hidden limit in ODFE which could cause this or a bug which do not allow to compare the rights for all indices. I already granted the User full cluster permissions without any luck.
{
"_index": "security-auditlog-000002",
"_type": "_doc",
"_id": "*BLANKED*",
"_version": 1,
"_score": null,
"_source": {
"audit_trace_task_parent_id": "*BLANKED*",
"audit_cluster_name": "odfe-cluster",
"audit_transport_headers": {
"_opendistro_security_source_field_context": "*BLANKED*",
"_opendistro_security_user_header": "*BLANKED*",
"_opendistro_security_remotecn": "odfe-cluster",
"_opendistro_security_remote_address_header": "*BLANKED*",
"_opendistro_security_origin_header": "REST"
},
"audit_node_name": "*BLANKED*",
"audit_trace_task_id": "*BLANKED*",
"audit_transport_request_type": "ShardSearchRequest",
"audit_category": "MISSING_PRIVILEGES",
"audit_request_origin": "REST",
"audit_node_id": "*BLANKED*",
"audit_request_layer": "TRANSPORT",
"@timestamp": "2020-04-28T08:08:48.708+00:00",
"audit_format_version": 4,
"audit_request_remote_address": "*BLANKED*",
"audit_request_privilege": "indices:data/read/search[can_match]",
"audit_node_host_address": "*BLANKED*",
"audit_request_effective_user": "*BLANKED*",
"audit_trace_indices": [
"bmc*"
],
"audit_trace_resolved_indices": [
*List of 700 Indices*
],
"audit_node_host_name": "*BLANKED*"
},
"fields": {
"@timestamp": [
"2020-04-28T08:08:48.708Z"
]
},
"sort": [
1588061328708
]
}