Security_exception in PPL

Security
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
v 2.15.0 Opensearch and Dashboard

Describe the issue:

Hello,

I’m trying to configure a role to access and use Observability logs PPL, but the autocomplete get this error:

{"statusCode":403,"error":"Forbidden","message":"[security_exception] no permissions for [indices:monitor/settings/get] and User [name=, backend_roles=[***], requestedTenant=VET02]"}

this is the role configuration:

PUT _plugins/_security/api/roles/monitoring-ro
{
    "cluster_permissions": [
      "cluster:monitor/nodes/stats",
      "cluster:monitor/task/get",
      "cluster:monitor/settings/get",
      "cluster:admin/opensearch/ppl",
      "cluster:admin/opensearch/observability/get",
      "read"
      
      
    ],
  "index_permissions": [
    {
      "index_patterns": [
          "logs-*",
          "metric*"
        ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "search",
        "view_index_metadata",
      "indices:admin/mappings/get",
      "indices:data/read/ppl",
      "indices:admin/get",
      "indices:admin/aliases/get",
      "indices:monitor/settings/get"      
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "PUT _plugins/_security/api/roles/monitoring-ro
{
    "cluster_permissions": [
      "cluster:monitor/nodes/stats",
      "cluster:monitor/task/get",
      "cluster:monitor/settings/get",
      "cluster:admin/opensearch/ppl",
      "cluster:admin/opensearch/observability/get",
      "read"
      
      
    ],
  "index_permissions": [
    {
      "index_patterns": [
          "logs-*",
          "metric*"
        ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "search",
        "view_index_metadata",
      "indices:admin/mappings/get",
      "indices:data/read/ppl",
      "indices:admin/get",
      "indices:admin/aliases/get",
      "indices:monitor/settings/get"      
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "VET02"
      ],
      "allowed_actions": [
        "kibana_read_only"
      ]
    }
  ]
}"
      ],
      "allowed_actions": [
        "kibana_read_only"
      ]
    }
  ]
}

Relevant Logs or Screenshots:

[2025-03-28T10:54:06,151][INFO ][o.o.s.p.PrivilegesEvaluator] [***] No permissions for [indices:monitor/settings/get]
[2025-03-28T10:54:08,267][INFO ][o.o.s.p.PrivilegesEvaluator] [***] No index-level perm match for User [name=***, backend_roles=***], requestedTenant=VET02] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [monitoring-ro]]
[2025-03-28T10:54:08,267][INFO ][o.o.s.p.PrivilegesEvaluator] [***] No permissions for [indices:monitor/settings/get]
2

@pido Its unclear from your question as to which role is actually assigned to the user that is having the issue.

The error message is very accurate regarding the missing permission, the only confusion might be with where the specified permission should be entered (in cluster or index permissions). Generally speaking while testing I would recommend to add to both cluster and index permission for the role and once issue is fixed, remove the one that is not needed.

Can you confirm what role is assigned to the user using /_plugins/_security/authinfo endpoint?

1 Like
3

Hello,
I was hiding some info from logs, but the role assigned to affected user is monitoring-ro, the same of the configuration that I put in this request.
Thanks for you support,

4

Which version of OS are you using, as I’m unable to reproduce your issue.

I have a user mapped to only one role:

"cluster_permissions" : [
      "cluster:monitor/nodes/stats",
      "cluster:monitor/task/get",
      "cluster:admin/opensearch/ppl",
      "cluster:admin/opensearch/observability/get"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "products"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read",
          "search",
          "indices:admin/mappings/get",
          "indices:admin/get",
          "indices:admin/aliases/get",
          "indices:monitor/settings/get"
        ]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "*"
        ],
        "allowed_actions" : [
          "kibana_all_write"
        ]
      }
    ],

And I’m able to run PPL queries on index products using curl.

5

I have v 2.15.0 for Opensearch and Dashboard.
The issue is only on autocomplete query on PPL, because with this role I can run the written query. But for example, if I search with autocomplete, it doesn’t work

6

@pido As there are various options to configure autocomplete, can you elaborate on how the autocomplete is setup and the query you are running? Can you please also confirm that it works as expected using admin user mapped to ALL_ACCESS role.

7

Hello,

using admin it works correctly, can you share me some configuration for the role that I’m trying to fix please?

Thanks

8

@pido can you please confirm how autocorrect feature was configured and example of the query you are running.

9

Sorry for delay. I’don’t have configured autocomplete, is in default configuration of installation. I put a screeshot of the error, so maybe is more clear what I mean:

autocomplete on PPL
autocomplete on PPL1911×1702 254 KB

Edit:
In upper image you can find the result using a custom role, where autocomplete is not working, in lower image the expected result using admin, where it works

10

@pido in order to use autocomplete, the user needs to have access to all the indices. The error you are seeing in not related to the “product” index the user has access to, but to the rest of the indices. Also there are some cluster permissions missing from the role you are using. See example below of a role that you can use for this purpose:

test_role:
  reserved: false
  hidden: false
  cluster_permissions:
  - "cluster:monitor/nodes/stats"
  - "cluster:monitor/task/get"
  - "cluster:admin/opensearch/ppl"
  - "cluster:admin/opensearch/observability/get"
  - "cluster:monitor/state"
  - "cluster:monitor/health"
  index_permissions:
  - index_patterns:
    - "product*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:admin/mappings/get"
    - "read"
    - "search"
    - "indices:admin/get"
    - "indices:admin/aliases/get"
    - "indices:monitor/settings/get"
  - index_patterns:
    - "*"
    dls: ""
    fls: []
    masked_fields: []
    allowed_actions:
    - "indices:monitor/settings/get"
    - "indices:monitor/stats"
  tenant_permissions:
  - tenant_patterns:
    - "*"
    allowed_actions:
    - "kibana_all_write"
  static: false
11

Thanks, I will try it and let you know

12

Hi Anthony,

I can confirm that now works correctly.
Thanks for your support

1 Like