[BUG] OpenSearch Role with Unlimited Index Permissions Fails to View Indexes #17650
Comments
github-actions
bot
added
the
Indexing
|
@rootxrishabh Can you share the full role definition corresponding to this: ^ |
|
Hi @cwperks , I was using the "test*" index pattern which resulted in this error. However, "*" worked. |
|
Got it. Can you check in the browser dev tools network tab to see if its any particular API call that gives the error? Looks like this should be transferred to ISM repo. |
|
Looks same as opensearch-project/index-management#959 |
|
One workaround could be to set I think the reason its failing is because |
|
Not sure, what is meant by "indices visible to the logged in user only". I understand indices are global correct? |
|
There is a notion of "hidden" indices where they can intentionally be hidden from the output of IMO the fix for this is in the ISM dashboards plugin to limit the |
|
@nibix I'd be curious to have your thoughts on this as well. I know that DNFOF disabled is default in the security plugin, I'm wondering if we can switch the default to I think the current behavior is confusing where Relevant section of code: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java#L541 |
|
@cwperks I have written a reply to your question at opensearch-project/security#5195 (comment) |
Describe the bug
When creating a role in OpenSearch with unlimited index permissions and cluster_all permission for the cluster, then creating a user for a separate tenant (e.g., "testing") and assigning this user to the specified role while restricting the index pattern (e.g., test* instead of *), logging in as this user and attempting to view indexes starting with "test" in the UI results in the following error:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=corporate user, backend_roles=[], requestedTenant=testing]The issue occurs despite the role having unrestricted index permissions. This suggests that OpenSearch security roles may not be correctly handling index pattern restrictions in conjunction with cluster-level permissions.
FYI: I am able to access indexes with the same role when I specify
*index pattern instead oftest*NOTE: Explicitly giving the
indices:monitor/settings/getpermission also results in the same.Would appreciate any insights on resolving this.
Related component
Indexing
To Reproduce
Steps to reproduce the behavior:
Create a role in OpenSearch with:
Index permissions: unlimited
Cluster permissions: cluster_all
Create a user and assign it to a separate tenant (e.g., "testing").
Assign the previously created role to this user and specify an index pattern other than , for example, test.
Log in to OpenSearch as the created user, and choose the tenant you attached it to earlier.
Try to view indexes that start with "test" in the OpenSearch UI.
Observe the error:
[security_exception] no permissions for [indices:monitor/settings/get] and User [name=corporate user, backend_roles=[], requestedTenant=testing]Expected behavior
Should see all indexes starting with test* when logged in as this user.
Additional Details
Screenshots
Host/Environment (please complete the following information):
Additional context
Using opensearch operator deployment on GKE.
The text was updated successfully, but these errors were encountered: