User with several roles

rlevitsky · October 11, 2022, 2:14pm

Hi guys,
I have user that mapped several roles:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }"

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq '.[].index_permissions[].dls'
"{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }"

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq '.[].index_permissions[].dls'
"{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }"

The issue is k that user, even using the ELK_DMB tenant, is unable to see the logs from mentioned hosts. Instead, he sees the logs from the other tenant.

Could you please help to solve this issue?

pablo · October 11, 2022, 2:38pm

@rlevitsky Could you share the config of these roles?

The tenancy doesn’t control index access but OpenSearch Dashboard objects (i.e. visualisations, dashboards). Index access is controlled by the role.

rlevitsky · October 11, 2022, 3:12pm

Thank you for your reply @pablo , here they are:

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_rVision_INT_DB | jq '.'

{
  "ELK_rVision_INT_DB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv248.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkrvisionintdb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_rVision_INT_DB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_EPCF_PROD | jq .

{
  "ELK_EPCF_PROD": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"match_phrase\": { \"host\": \"cv196.co.com\" } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkepcfprod*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_EPCF_PROD"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

% curl https://logs.co.com:9200/_opendistro/_security/api/roles/ELK_DMB | jq .

{
  "ELK_DMB": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [],
    "index_permissions": [
      {
        "index_patterns": [
          "applications-*"
        ],
        "dls": "{ \"bool\": { \"must\": [], \"filter\": [ { \"bool\": { \"should\": [  { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv244.co.com\" } } ], \"minimum_should_match\": 1 } }, { \"bool\": { \"should\": [ { \"match_phrase\": { \"host\": \"cv319.co.com\" } } ], \"minimum_should_match\": 1 } }], \"minimum_should_match\": 1 } } ] } }",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      },
      {
        "index_patterns": [
          ".kibana_*_elkdmb*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "crud"
        ]
      },
      {
        "index_patterns": [
          "kibana_sample_*"
        ],
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read"
        ]
      }
    ],
    "tenant_permissions": [
      {
        "tenant_patterns": [
          "ELK_DMB"
        ],
        "allowed_actions": [
          "kibana_all_write"
        ]
      }
    ],
    "static": false
  }
}

rlevitsky · October 12, 2022, 1:31pm

Users are able to see cv196 logs only.

pablo · October 12, 2022, 2:04pm

@rlevitsky Just to confirm. Are these roles assigned to a single user?

Is there a chance that you could share a single document for each cv248.co.com, cv196.co.com, cv244.co.com. If not, then maybe index mappings.

rlevitsky · December 14, 2022, 4:14pm

Actually, the issue was that some hosts’ logs didn’t get the mentioned server.
After fixing it, users can search their logs just fine.
So sorry for bothering you.

Topic		Replies	Views
Read Only Accounts Security configure	5	224	February 14, 2024
Index Level Permission of security plugin is not working with list of indices in role Security troubleshoot	12	891	February 18, 2024
Multitenancy - index permission error Security	1	1068	July 12, 2019
No permissions for [indices:admin/get] Security	1	2294	April 12, 2021
Problem with Authorizing OpenSearch Dashboard Users OpenSearch Dashboards troubleshoot , configure	1	285	November 3, 2023

User with several roles

Related Topics