Update OpenSearch 2.17: no permissions for [indices:data/read/msearch]

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
OpenSearch 2.17 on AWS

Describe the issue:
After the update of Opensearch on AWS from 2.11 to 2.17, during search I meet an error for one index:
no permissions for [indices:data/read/msearch] and User [name=xxx, backend_roles=, requestedTenant=null]"}]

I didn’t find the permission indices:data/read/msearch in configuration of role. The reindexation did’t resolve the problem, and it only exists for one index. How to correct it?

Configuration:

Relevant Logs or Screenshots:

Hi @Garance,

Could you share output of the following (for the user that faces the issue):

curl --insecure -u username:password -XGET https://localhost:9200/_plugins/_security/authinfo?pretty

Best,
mj

Thank you for the replay. I have resolved the problem by adding the cluster permission indices:data/read/msearch

1 Like

For anyone coming to this issue, this is one of those cases where the action name is indices:, but from a security perspective its treated like a cluster action. This is where the exceptions live in code: security/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java at main · opensearch-project/security · GitHub

The reason this is the case, is because its a Multi-Search action which means its composed of individual search actions. From a security perspective, all individual search actions are authorized individually. By having indices:data/read/msearch as a cluster permission, essentially it gives a cluster operator the ability to say: This user can perform msearch, but another user cannot. If a user can perform msearch, then it moves on to authorizing the individual search actions.