Is it possible to use wilcards on permissions setting? imagine I wanna give read access to particular index pattern and i see opensearch has following index level permissions but I dont see general read, so I have to add all permissions related to read one by one?
Hi, if I’m understanding correctly, it seems like yes, OpenSearch supports wildcard permissions for index patterns. You can use wildcard characters such as “*” and “?” to match multiple index patterns with a single permission.
For example, to grant read access to all indices that start with “logs-”, you can use the following permission:
{ "index_patterns": ["logs-*"], "allowed_actions": ["read"] }
This will grant read access to all indices that match the pattern “logs-*”, such as “logs-2022-01-01”, “logs-2022-01-02”, etc.
You can also use multiple index patterns in a single permission by separating them with commas. For example:
{ "index_patterns": ["logs-*", "metrics-*"], "allowed_actions": ["read"] }
not really, it is about wildcards on permissions side, imagine I wanna give all indices:admin/* permissions to the role, I need to add them one by one? because it is not possible to do it with wildcard.
Ah, I see what you mean now. Unfortunately, it is not currently possible to use wildcards on the permissions side to grant permissions to all indices that match a certain pattern. You would need to explicitly list out each index that you want to grant permissions to.
However, if you have a large number of indices that you want to grant permissions to, you could consider using a script to generate the necessary permissions for you based on a certain pattern or criteria. This could save you time and effort in listing out each individual index.
having strange issue, when I use * as index pattern to match I can see all indices but when I use specific pattern like logstash-test*, it is not showing any indices and shows
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=opensearchtestuser, backend_roles=[opensearch-admins], requestedTenant=__user__][security_exception] no permissions for [indices:monitor/settings/get] and User [name=opensearchtestuser, backend_roles=[opensearch-admins], requestedTenant=__user__]
indices_all, indices_monitor … are among permissions and I see * works with them this is something on index matching side?
It’s possible that the issue you’re experiencing is related to the specific permissions and roles that you have configured in OpenSearch.
If you have granted the indices:monitor/settings/get permission to your user or role, then you should be able to view the settings for all indices that match the specified index pattern, including logstash-test*.
However, if you’re still having issues viewing indices with a specific pattern, it’s possible that there may be some other configuration or permission that is preventing access.
@sukur55 Have you found a solution to your issue? If not, what action do you perform when you get the reported security_exception error?
Hi, @orazaly1508! What, for example, about predefined action group cluster_all which uses wildcard at the end of allowed_action Default action groups - OpenSearch Documentation?
"cluster_all": {
"reserved": true,
"hidden": false,
"allowed_actions": [
"cluster:*"
],
"type": "cluster",
"description": "Allow everything on cluster level",
"static": true
}