Security Issue: No permissions for [indices:admin/resolve/index]

Hello everyone I use Opendistro release 1.10.1. Now I have defined two internal users (alice and bob). I have also defined roles for bob and alice.
For example:

roles:

autos:
reserved: false
index_permissions:
- index_patterns:
- “autos”
allowed_actions:
- indices_all

and then rolles mapping:

autos:
reserved: false
users:

• “bob”
  backend_roles:
• “autos”

Log-In work fine for bob, but if user bob tries to create index pattern, so we get the following error message in the log:

[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No index-level perm match for User [name=alice, backend_roles=[telefonbuch, kibanauser, kibana_sample_data_flights], requestedTenant=null] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=] [Action [indices:admin/resolve/index]] [RolesChecked [telefonbuch, own_index, kibana_user, kibana_sample_data_flights]]
[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No permissions for [indices:admin/resolve/index]

Why I get this error message. I have checked roles definitions, user mapping, etc. but I get this error again.
What is my mistake? What I do wrong?

Thanks

I am having same issue , moreover users can’t create indices they’ve access, they can only view what was created prior to upgrade .

I really appreciate help on this issue.

I also have this issue. I update last week from 1.9 to 1.10. This seems to be a new “feature” in 1.10. I guess users could be given access to
indices:admin/resolve/index but I don’t know what it does. It does not seem to be documented either in Permissions - Open Distro Documentation

This is how I have understood the problem, please correct me if I’m wrong.
There seems to be an open issue about this:
https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/issues/529
So the reason seems that Kibana got updated to support other things than indices: Index Patterns Management - use `/_resolve` endpoint for data streams support by mattkime · Pull Request #70271 · elastic/kibana · GitHub and therefore started to use the resolve API Resolve index API | Elasticsearch Guide [8.4] | Elastic

The easy way to fix this would be to add "index_permission": [ { "index_patterns": [ "*" ], "allowed_actions": [ "indices:admin/resolve/index" ] } ] to a role that all Kibana users have access to. The downside of this is that all users that have access to this role can see the name of all indices in the cluster this includes the Kibana-user/tenant indices.

I have this problem too. But I use multi-tenancy and I want that users can create theirs index patterns themselves in Kibana. They can’t do this because they haven’t this permission (indices:admin/resolve/index). Most important that users must not see other indexes which not include theirs roles. Have you any idea how do this without this permission?

Same issue here, i tried to create an new action group with indices:admin/resolve/index and add it as a cluster permission, it doesn’t work.

If i try at indice level indices:admin/resolve/index is not in the list

(I upgraded this morning in 1.11)

Hi folks,
Could you solve it?
I’m facing the same problem:

2020-12-10T10:00:16,726][INFO ][c.a.o.s.p.PrivilegesEvaluator] [ubuntu-VirtualBox] No index-level perm match for User [name=mary help, backend_roles=[elastic.car], requestedTenant=null] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=] [Action [indices:admin/resolve/index]] [RolesChecked [own_index, kibana_user, car]]
[2020-12-10T10:00:16,727][INFO ][c.a.o.s.p.PrivilegesEvaluator] [ubuntu-VirtualBox] No permissions for [indices:admin/resolve/index]

Thank you

Hey all, although the permission does not appear in the console and cannot be added that way, you can add it via the API. Here I’m adding indices_all permission to the actual index pattern “test*” and the “indices:admin/resolve/index” permission to everything (*). Not ideal, but this seems to work.

PUT _opendistro/_security/api/roles/js-test
{
    "cluster_permissions" : [ ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "test*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices:admin/resolve/index"]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "global_tenant"
        ],
        "allowed_actions" : [
          "kibana_all_read"
        ]
      }
    ]
}

@Alexander As a workaround you can try to use the below:

 "index_permissions" : [
      {
        "index_patterns" : [
          "test"
        ],
        "allowed_actions" : [
          "indices:*"
        ]
      }
    ]

This seems to solve the issue of not being able to create index pattern, however you might want to ensure the level of access is right for that user, prior to going to prod.

This is work but will throw unsued INFO that show do not have index level permission unless the index pattern is “*” ( query via Kibana )

Hello Anthony, sorry for the late answer,
unfortunately, this solution doesn’t work for me. The user can still not able to create an index because no indices are displayed.
But if I include the following action
{
“index_patterns” : [
“*”
],
“dls” : “”,
“fls” : ,
“masked_fields” : ,
“allowed_actions” : [
“indices:admin/resolve/index”]
}

the index can be created. But the user sees also all other indices by the creation process, that I shouldn’t see.
I still don’t understand why it hasn’t been resolved for a long time ago.