Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Index Template APIs need to be specified under cluster permissions rather than index permissions #619

Closed
ronniepg opened this issue May 24, 2022 · 7 comments · Fixed by #2964
Closed

[BUG] Index Template APIs need to be specified under cluster permissions rather than index permissions #619

ronniepg opened this issue May 24, 2022 · 7 comments · Fixed by #2964
Assignees
@ariamarble
Labels
bug Technical problem with the doc site or broken link Closed - Complete Issue: Work is done and associated PRs closed

Comments

@ronniepg
Copy link

ronniepg commented May 24, 2022
edited
Loading

What is the bug?
Index Template APIs need to be specified under cluster permissions rather than index permissions

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Create an internal role like so
    curl -XPUT https://localhost:9200/_plugins/_security/api/roles/sem-role -H 'Content-Type: application/json' -d' { "cluster_permissions": [ "cluster_monitor" ], "index_permissions": [{ "index_patterns": [ "sem*" ], "allowed_actions" : ["*"] }] }
  2. Create a user with this role
    curl -XPUT https://localhost:9200/_plugins/_security/api/internalusers/sem-user -H 'Content-Type: application/json' -d' { "password": "######", "opendistro_security_roles": ["sem-role"] } '
  3. Define template using this user fails with permission denied to create template
    curl -XPUT -u sem-user "https://localhost:9200/_template/sem1234?pretty" -H 'Content-Type: application/json' -d' { "index_patterns": ["sem1234*"], "template": { "settings": { "number_of_shards": 2, "number_of_replicas": 1 }, "mappings": { "properties": { "timestamp": { "type": "date", "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||epoch_millis" }, "value": { "type": "double" } } } } } '

Response:
{ "error" : { "root_cause" : [ { "type" : "security_exception", "reason" : "no permissions for [indices:admin/template/put] and User [name=sem-user, backend_roles=[], requestedTenant=null]" } ], "type" : "security_exception", "reason" : "no permissions for [indices:admin/template/put] and User [name=sem-user, backend_roles=[], requestedTenant=null]" }, "status" : 403 }

This permission issue is resolved if the indices:admin/template/* permission is specified under the cluster permissions, like so:
curl -XPUT https://hostname:50140/_plugins/_security/api/roles/sem-role -u admin:admin123 -H 'Content-Type: application/json' -d' { "cluster_permissions": [ "cluster_monitor", **"indices:admin/template/*"** ], "index_permissions": [{ "index_patterns": [ "sem*" ], "allowed_actions" : ["*"] }] } '

What is the expected behavior?

  1. The Template APIs fall under the index permissions as per docs (https://opensearch.org/docs/latest/security-plugin/access-control/permissions/#index-permissions) and the permission should work when defined under "index_permissions" and not "cluster_permissions"
  2. The Template APIs should honor the index patterns defined in the user role, i.e. the user should be allowed to create templates only for those index patterns which are permitted as per the user roles.

What is your host/environment?
OpenSearch 1.2.4 with opensearch-security plugin enabled on OEL7

Do you have any screenshots?
NA

Do you have any additional context?
https://forum.opensearch.org/t/internal-user-not-able-to-perform-operations-based-on-internal-role/9529/9
@ronniepg ronniepg added bug Technical problem with the doc site or broken link untriaged labels May 24, 2022
@DarshitChanpura
Copy link
Member

[Triage] This is a documentation bug. The behavior you see is as expected.

@DarshitChanpura
Copy link
Member

@opensearch-project/transfer-request Please move this bug to documentation repo.

@peternied peternied transferred this issue from opensearch-project/security May 27, 2022
@cliu123 cliu123 mentioned this issue Jun 2, 2022
Closed
@DarshitChanpura DarshitChanpura mentioned this issue Jun 14, 2022
Closed
@Naarcha-AWS Naarcha-AWS added 1 - Backlog Issue: The issue is unassigned or assigned but not started and removed untriaged labels Nov 30, 2022
@FrcMoya
Copy link
Contributor

FrcMoya commented Feb 16, 2023

I had this problem yesterday and there is no clear information about this on the internet. Only because I found this problem on GitHub I was able to solve it.

In the permissions page it seems that I have to add the _index_template permissions in the "indices" part of the role and this generates this problem.

@hdhalter
Copy link
Contributor

Hi Aria, can you please take a look at this and make the appropriate changes? Thanks!

@BioSehnsucht
Copy link

@FrcMoya I'm trying to figure this out myself and not having any luck. Can you post what the resulting role permissions ended up looking like when you got it working (either as json to the API or yaml to the securityadmin.sh tool?

@FrcMoya
Copy link
Contributor

FrcMoya commented Feb 19, 2023

@BioSehnsucht I am using the AWS service so I don't really have access to the json nor securityadmin.sh.

This is the response of the GET role API call GET _plugins/_security/api/roles/read_only_role. OpenSearch 2.3 version:

{ "read_only_role" : { "reserved" : false, "hidden" : false, "cluster_permissions" : [ "cluster_composite_ops_ro", "cluster_monitor", "indices:admin/index_template/get", "..." ], "index_permissions" : [ { "index_patterns" : [ "*" ], "fls" : [ ], "masked_fields" : [ ], "allowed_actions" : [ "read", "get", "search", "indices_monitor", "cluster_monitor", "indices:admin/data_stream/get", "indices:monitor/data_stream/stats", "indices:admin/index_template/get", "..." ] } ], "tenant_permissions" : [ { "tenant_patterns" : [ "global_tenant" ], "allowed_actions" : [ "kibana_all_read" ] } ], "static" : false } }

@BioSehnsucht
Copy link

@FrcMoya Thanks. I now have Elastiflow Unified Connector outputting to OpenSearch with this role.

elastiflow_ingest:
  reserved: true
  index_permissions:
    - index_patterns:
        - 'elastiflow-*'
      allowed_actions:
        - 'indices:*'
  cluster_permissions:
    - 'cluster:admin/component_template/*'
    - 'cluster_manage_index_templates'
    - 'cluster_monitor'
    - 'indices:admin/index_template/*'

@FrcMoya FrcMoya mentioned this issue Feb 20, 2023
Merged
1 task
@Naarcha-AWS Naarcha-AWS added 2 - In progress Issue/PR: The issue or PR is in progress. and removed 1 - Backlog Issue: The issue is unassigned or assigned but not started labels Feb 20, 2023
@ariamarble ariamarble added Closed - Complete Issue: Work is done and associated PRs closed and removed 2 - In progress Issue/PR: The issue or PR is in progress. labels Feb 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ariamarble ariamarble

Labels
bug Technical problem with the doc site or broken link Closed - Complete Issue: Work is done and associated PRs closed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Moved index_template permission to cluster section
7 participants
@BioSehnsucht @FrcMoya @DarshitChanpura @ronniepg @Naarcha-AWS @hdhalter @ariamarble