Separation of user roles

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

OpenSearch 2.11.1

Describe the issue:
Please help me set up access. There is a group of users who need to restrict access to display indexes. I created a role, in it I set up “Index Permissions” so that the user group would have access only to a certain index pattern. But the problem is that this user group is part of another group that has more extensive rights. And accordingly, OpenSearch applies the role with more rights. Is it possible to somehow differentiate rights? Set up role priority?

Configuration:

Relevant Logs or Screenshots:

Hi @Pan-Vad,

What about duplicating the original role, restricting the permissions and assigning the group of users with the limited permissions to that role instead of using two roles for the same group?

best,
mj

Perhaps I misunderstand how the role distribution process works. Let me describe my problem in more detail. In AD there is a group GISAP, which is part of the ORIS group. The ORIS group has the role “readall_AD”, role settings:

reserved: false
cluster_permissions:
- "cluster_composite_ops_ro"
- "cluster:admin/tenants/list"
- "cluster:admin/tenants/get"
- "cluster:admin/tenants/select"
- "cluster:admin/opensearch/ql/datasources/read"
index_permissions:
- index_patterns:
- '*'
allowed_actions:
- 'read'
tenant_permissions:
- tenant_patterns:
- '*'
allowed_actions:
- "kibana_all_read"

This role grants read rights for all indexes.
I created another role “syslog_only”, here are its parameters:


cluster_permissions:
- "cluster_composite_ops_ro"
index_permissions:
- index_patterns:
- "syslog-*"
allowed_actions:
- "indices:admin/get"
- "indices:data/read/*"
fls:
- "*"

I configured mapping of this role for the GISAP group, but it did not help, users of this group still see other indexes. How to configure this role so that all users of the ORIS group, except the GISAP group, can read from all indexes, and users of the GISAP group can read only the “syslog” index?

@Pan-Vad, I see, you are using nested groups. Have you checked the parameter resolve_nested_roles

What if you set resolve_nested_roles: false ?

see more here: Active Directory and LDAP - OpenSearch Documentation

best,
mj

I changed the attribute “resolve_nested_roles: false”, but unfortunately nothing changed

@Pan-Vad, can you run the below for each type of user and share the output:

curl --insecure -u <ldap_user>:<ldap_password> -XGET https://<OS_node>:9200/_plugins/_security/authinfo?pretty

Thanks,
mj

Here are the results of running the command for two users. This user has access to all indexes:

{
  "user" : "User [name=yukhnovskiyadm, backend_roles=[GISAP Admins, LinuxAdmin, VMware Admins], requestedTenant=null]",
  "user_name" : "yukhnovskiyadm",
  "user_requested_tenant" : null,
  "remote_address" : "192.168.20.41:37799",
  "backend_roles" : [
    "GISAP Admins",
    "LinuxAdmin",
    "VMware Admins"
  ],
  "custom_attribute_names" : [
    "attr.ldap.primaryGroupID",
    "attr.ldap.msTSExpireDate",
    "attr.ldap.lastLogon",
    "attr.ldap.logonCount",
    "attr.ldap.badPwdCount",
    "attr.ldap.objectGUID",
    "attr.ldap.userAccountControl",
    "attr.ldap.msTSLicenseVersion3",
    "attr.ldap.msTSLicenseVersion2",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.lastLogoff",
    "attr.ldap.countryCode",
    "attr.ldap.instanceType",
    "attr.ldap.sAMAccountName",
    "attr.ldap.msTSManagingLS",
    "attr.ldap.userPrincipalName",
    "attr.ldap.whenChanged",
    "attr.ldap.objectClass",
    "attr.ldap.givenName",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.lockoutTime",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.uSNChanged",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.pwdLastSet",
    "attr.ldap.adminCount",
    "attr.ldap.msTSLicenseVersion",
    "attr.ldap.lastLogonTimestamp"
  ],
  "roles" : [
    "own_index",
    "all_access",
    "admin_AD"
  ],
  "tenants" : {
    "global_tenant" : true,
    "admin_tenant" : true,
    "yukhnovskiyadm" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

This user is a member of a group for which I created the syslog_only role.

{
  "user" : "User [name=Юхновский Вадим Владимирович, backend_roles=[PRTG BEL1 Read, PRTG MSK4 Read, PRTG MSK1 Read, Пользователи PRTG, ОРИС, RDG Users, August, Пользователи Passwork, PRTG MSK2 Write, WiFi Global, ДИТ, ProxyRB, PRTG MSK3 Read, InternetUsers, WiFi Work, Lansweeper View, Сотрудники Service Desk, ГИSAP, PRTG VRN1 Read, Центральный офис, Пользователи  MaxPatrol VM, VPN_Users], requestedTenant=null]",
  "user_name" : "Юхновский Вадим Владимирович",
  "user_requested_tenant" : null,
  "remote_address" : "192.168.20.41:42169",
  "backend_roles" : [
    "PRTG BEL1 Read",
    "PRTG MSK4 Read",
    "PRTG MSK1 Read",
    "Пользователи PRTG",
    "ОРИС",
    "RDG Users",
    "August",
    "Пользователи Passwork",
    "PRTG MSK2 Write",
    "WiFi Global",
    "ДИТ",
    "ProxyRB",
    "PRTG MSK3 Read",
    "InternetUsers",
    "WiFi Work",
    "Lansweeper View",
    "Сотрудники Service Desk",
    "ГИSAP",
    "PRTG VRN1 Read",
    "Центральный офис",
    "Пользователи  MaxPatrol VM",
    "VPN_Users"
  ],
  "custom_attribute_names" : [
    "attr.ldap.msRTCSIP-PrimaryUserAddress",
    "attr.ldap.msTSExpireDate",
    "attr.ldap.logonCount",
    "attr.ldap.lastLogon",
    "attr.ldap.badPwdCount",
    "attr.ldap.msExchUserCulture",
    "attr.ldap.userAccountControl",
    "attr.ldap.whenCreated",
    "ldap.original.username",
    "attr.ldap.msExchDumpsterQuota",
    "attr.ldap.physicalDeliveryOfficeName",
    "attr.ldap.lastLogoff",
    "attr.ldap.msRTCSIP-FederationEnabled",
    "attr.ldap.sAMAccountName",
    "attr.ldap.homeDrive",
    "attr.ldap.msExchTextMessagingState",
    "attr.ldap.userPrincipalName",
    "attr.ldap.whenChanged",
    "attr.ldap.msExchMailboxAuditEnable",
    "attr.ldap.msRTCSIP-InternetAccessEnabled",
    "attr.ldap.description",
    "attr.ldap.msExchAuditAdmin",
    "attr.ldap.lockoutTime",
    "attr.ldap.msExchMailboxAuditLastAdminAccess",
    "attr.ldap.displayName",
    "attr.ldap.objectSid",
    "attr.ldap.codePage",
    "attr.ldap.msRTCSIP-Line",
    "attr.ldap.msExchAuditDelegate",
    "attr.ldap.extensionAttribute1",
    "attr.ldap.mail",
    "attr.ldap.msExchUMDtmfMap",
    "attr.ldap.lastLogonTimestamp",
    "attr.ldap.primaryGroupID",
    "attr.ldap.msExchArchiveQuota",
    "attr.ldap.msExchMailboxGuid",
    "attr.ldap.proxyAddresses",
    "attr.ldap.objectGUID",
    "attr.ldap.msTSLicenseVersion3",
    "attr.ldap.msTSLicenseVersion2",
    "attr.ldap.msRTCSIP-UserPolicies",
    "attr.ldap.company",
    "attr.ldap.countryCode",
    "attr.ldap.department",
    "attr.ldap.instanceType",
    "attr.ldap.msRTCSIP-UserEnabled",
    "attr.ldap.telephoneNumber",
    "attr.ldap.msTSManagingLS",
    "attr.ldap.objectClass",
    "attr.ldap.msExchVersion",
    "attr.ldap.givenName",
    "attr.ldap.msRTCSIP-DeploymentLocator",
    "attr.ldap.msRTCSIP-OptionFlags",
    "ldap.dn",
    "attr.ldap.sAMAccountType",
    "attr.ldap.cn",
    "attr.ldap.accountExpires",
    "attr.ldap.msExchMobileMailboxFlags",
    "attr.ldap.msExchAuditDelegateAdmin",
    "attr.ldap.title",
    "attr.ldap.dSCorePropagationData",
    "attr.ldap.initials",
    "attr.ldap.name",
    "attr.ldap.uSNCreated",
    "attr.ldap.uSNChanged",
    "attr.ldap.msExchCalendarLoggingQuota",
    "attr.ldap.msExchRecipientTypeDetails",
    "attr.ldap.pwdLastSet",
    "attr.ldap.msExchUserAccountControl",
    "attr.ldap.msRTCSIP-UserRoutingGroupId",
    "attr.ldap.msExchRecipientDisplayType",
    "attr.ldap.sn",
    "attr.ldap.msExchWhenMailboxCreated",
    "attr.ldap.mDBUseDefaults",
    "attr.ldap.msExchArchiveWarnQuota",
    "attr.ldap.mailNickname",
    "attr.ldap.msExchELCMailboxFlags",
    "attr.ldap.msExchDumpsterWarningQuota",
    "attr.ldap.msTSLicenseVersion"
  ],
  "roles" : [
    "syslog_only",
    "own_index"
  ],
  "tenants" : {
    "global_tenant" : false,
    "admin_tenant" : false,
    "Юхновский Вадим Владимирович" : true
  },
  "principal" : null,
  "peer_certificates" : "0",
  "sso_logout_url" : null
}

Can you also share the output of the curl -XGET "http://localhost:9200/_plugins/_security/api/rolesmapping"

thanks,
mj

Of course I can:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1268  100  1268    0     0  91984      0 --:--:-- --:--:-- --:--:-- 97538
{
  "manage_snapshots": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "snapshotrestore"
    ],
    "and_backend_roles": []
  },
  "logstash": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "logstash"
    ],
    "and_backend_roles": []
  },
  "own_index": {
    "hosts": [],
    "users": [
      "*"
    ],
    "reserved": false,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": [],
    "description": "Allow full access to an index named like the username"
  },
  "kibana_user": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "kibanauser"
    ],
    "and_backend_roles": [],
    "description": "Maps kibanauser to kibana_user"
  },
  "readall_AD": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "ГИSAP"
    ],
    "and_backend_roles": []
  },
  "all_access": {
    "hosts": [],
    "users": [],
    "reserved": true,
    "hidden": false,
    "backend_roles": [
      "admin",
      "GISAP Admins"
    ],
    "and_backend_roles": [],
    "description": "Maps admin to all_access"
  },
  "readall": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "readall"
    ],
    "and_backend_roles": []
  },
  "kibana_server": {
    "hosts": [],
    "users": [
      "kibanaserver"
    ],
    "reserved": true,
    "hidden": false,
    "backend_roles": [],
    "and_backend_roles": []
  },
  "admin_AD": {
    "hosts": [],
    "users": [],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "GISAP Admins"
    ],
    "and_backend_roles": []
  }
}

I will add: I tried to delete the role that I created for the original ORIS group, instead I left the syslog_only role, which is applied to the GISAP group:

syslog_only:
  cluster_permissions:
    - "cluster_all"
  index_permissions:
    - index_patterns:
        - "syslog-*"
      allowed_actions:
        - "indices_all"
  tenant_permissions:
    - tenant_patterns:
        - "*"  
      allowed_actions:
        - "kibana_all_read" 

When I authorized under a user account from the GISAP group, to check the result, I entered the “Discover” menu, the display window did not return any results to me.

If I haven’t missed anything (Ill have a closer look) permisions and assumed roles looks all good.

Can you run a search in Dev Tools on syslog-* index?

something like:

GET /syslog-*_search

Do you get an expected result if not, what does the log say?

can you share the:

curl -XGET "http://localhost:9200/_plugins/_security/api/roles/"

best,
mj

I have redone the configuration, applied roles for each subgroup. Thanks for the help!

1 Like

@Pan-Vad, glad it helped!