I have configured a read-only user in OpenSearch 2.16.0 who should only see certain indices and their mappings/aliases, etc. These indices change over time, so that I want to be able to request a list of all indices the user can list.
I attempted to do that as follows: with an admin user, create a role and user with only read and indices:admin/get permissions on the index pattern test-read*:
PUT _plugins/_security/api/roles/ROLE_RO
{
"cluster_permissions": [
],
"index_permissions": [{
"index_patterns": [
"test-read*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read",
"indices:admin/get"
]
}],
"tenant_permissions": [{
"tenant_patterns": [
],
"allowed_actions": [
]
}]
}
and
PUT _plugins/_security/api/internalusers/USER_RO
{
"password": "whatever",
"opendistro_security_roles": ["ROLE_RO"],
"backend_roles": ["ROLE_RO"],
"attributes": {
}
}
I also gathered that in order to not receive a permission error, I need to change OpenSearch's default behavior by adding the following in /usr/share/opensearch/config/opensearch-security/config.yml:
config:
dynamic:
do_not_fail_on_forbidden: true
do_not_fail_on_forbidden_empty: true
I am running a single node cluster based on the OpenSearch 2.16.0 docker image, so I built a new image based on that and made the changes using a docker build with sed. When I open a bash in a running container and cat the file, I can see that the lines are indeed there.
However, if I then try to list all indices with the user USER_RO, I still receive a permission error:
GET _all
yields
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
}
],
"type": "security_exception",
"reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
},
"status": 403
}
My understanding was that setting do_not_fail_on_forbidden: true should lead to this listing only the indices that match the pattern test-read* since the user has the permission indices:admin/get for them.
Executing GET test-read* or GET test-read*/_search both works fine and as intended.
Is there something I misunderstood or missed configuring? Is there maybe an API call to verify that the setting do_not_fail_on_forbidden: true is actually really in effect? Are there alternative approaches to achieve what I desire (except additionally granting indices:admin/get permissions for the index pattern *, which does work but then GET _all lists all indices, not just the ones which I want...).
I have configured a read-only user in OpenSearch 2.16.0 who should only see certain indices and their mappings/aliases, etc. These indices change over time, so that I want to be able to request a list of all indices the user can list.
I attempted to do that as follows: with an admin user, create a role and user with only read and indices:admin/get permissions on the index pattern test-read*:
PUT _plugins/_security/api/roles/ROLE_RO
{
"cluster_permissions": [
],
"index_permissions": [{
"index_patterns": [
"test-read*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read",
"indices:admin/get"
]
}],
"tenant_permissions": [{
"tenant_patterns": [
],
"allowed_actions": [
]
}]
}
and
PUT _plugins/_security/api/internalusers/USER_RO
{
"password": "whatever",
"opendistro_security_roles": ["ROLE_RO"],
"backend_roles": ["ROLE_RO"],
"attributes": {
}
}
I also gathered that in order to not receive a permission error, I need to change OpenSearch's default behavior by adding the following in /usr/share/opensearch/config/opensearch-security/config.yml:
config:
dynamic:
do_not_fail_on_forbidden: true
do_not_fail_on_forbidden_empty: true
I am running a single node cluster based on the OpenSearch 2.16.0 docker image, so I built a new image based on that and made the changes using a docker build with sed. When I open a bash in a running container and cat the file, I can see that the lines are indeed there.
However, if I then try to list all indices with the user USER_RO, I still receive a permission error:
GET _all
yields
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
}
],
"type": "security_exception",
"reason": "no permissions for [indices:admin/get] and User [name=USER_RO, backend_roles=[ROLE_RO], requestedTenant=]"
},
"status": 403
}
My understanding was that setting do_not_fail_on_forbidden: true should lead to this listing only the indices that match the pattern test-read* since the user has the permission indices:admin/get for them.
Executing GET test-read* or GET test-read*/_search both works fine and as intended.
Is there something I misunderstood or missed configuring? Is there maybe an API call to verify that the setting do_not_fail_on_forbidden: true is actually really in effect? Are there alternative approaches to achieve what I desire (except additionally granting indices:admin/get permissions for the index pattern *, which does work but then GET _all lists all indices, not just the ones which I want...).
Share Improve this question asked Feb 17 at 9:56 buddematbuddemat 5,30116 gold badges34 silver badges60 bronze badges
1 Answer
Reset to default 0In order to check whether do_not_fail_on_forbidden: true has indeed been set correctly and the setting is applied, you can execute
GET _search
which, in case there are indices the user has no reading permission on, should result in an error if do_not_fail_on_forbidden is false, and no error if it is true.
So I could verify that this setting was indeed true.
However, apparently there is a bug in OpenSearch which currently prevents this from working as expected.
So, once this becomes fixed, the solution would be to set do_not_fail_on_forbidden: true and then execute
GET _all
This will then display only the information for the indices one has access rights to without triggering an error.