[DOC] Better documentation around Cluster and Index permissions, wrt adding indices perms as Cluster perms
#2359
Comments
|
FYI @cwillum |
|
Thanks for opening this issue. For the moment, I'm going to keep this in the security repository but we might move/create follow up issues in our documentation repository. |
|
@peternied could you file a transfer request for this to the documentation repository? Thank you. |
cwillum
added
1 - Backlog
|
Could someone introduce a summary answering So far what I see is that defining a role mapped to a user "test-role": {
"reserved": false,
"hidden": false,
"description": "Test role",
"cluster_permissions": []
"index_permissions": [
{
"index_patterns": [
"test-*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"crud",
"create_index",
"search",
"indices:data/write/bulk*",
"indices:data/write/bulk",
"indices_monitor"
]
}
],
"tenant_permissions": [],
"static": false
} Attempting to index a document into an index But if we add "test-role": {
"reserved": false,
"hidden": false,
"description": "Test role",
"cluster_permissions": [
"indices:data/write/bulk"
]
"index_permissions": [
{
"index_patterns": [
"test-*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"crud",
"create_index",
"search",
"indices:data/write/bulk*",
"indices:data/write/bulk",
"indices_monitor"
]
}
],
"tenant_permissions": [],
"static": false
} It works! BUT we can also index documents into indexes that have other prefix! Which is missing the point of the "test-role": {
"reserved": false,
"hidden": false,
"description": "Test role",
"cluster_permissions": [
"indices:data/write/bulk"
]
"index_permissions": [
{
"index_patterns": [
"someotherprefix-*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"crud",
"create_index",
"search",
"indices:data/write/bulk*",
"indices:data/write/bulk",
"indices_monitor"
]
}
],
"tenant_permissions": [],
"static": false
} And attempting to index a new document into What am I doing wrong? My expectation is to be able to define a role with write permissions to an specific set of indexes, without allowing to index documents into other indexes. |
|
Just curious if anyone ever figured this out. This post was open almost one year ago and I am still facing issues trying to make minimal set of permissions. I cannot find any docs that explain why |
|
In my config, i need add PUT /_opendistro/_security/api/roles/test_search_index {
"test_search_index": {
"reserved": false,
"hidden": false,
"cluster_permissions": [
"indices:data/write/bulk"
],
"index_permissions": [
{
"index_patterns": [
"test*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"indices:data/read/explain",
"indices:data/read/field_caps",
"indices:data/read/field_caps*",
"indices:data/read/get",
"indices:data/read/mget",
"indices:data/read/mget*",
"indices:data/read/msearch",
"indices:data/read/msearch/template",
"indices:data/read/mtv",
"indices:data/read/mtv*",
"indices:data/read/scroll",
"indices:data/read/scroll/clear",
"indices:data/read/search",
"indices:data/read/search*",
"indices:data/read/search/template",
"indices:data/read/tv",
"indices:data/write/bulk",
"indices:data/write/bulk*",
"indices:data/write/delete",
"indices:data/write/delete/byquery",
"indices:data/write/index",
"indices:data/write/reindex",
"indices:data/write/update",
"indices:data/write/update/byquery",
"indices:admin/create",
"indices:admin/mapping/put"
]
}
],
"tenant_permissions": [],
"static": false
}
} |
hdhalter
removed
enhancement
hdhalter
changed the title
indices perms as Cluster permsindices perms as Cluster perms
|
Is there any update on the issue? |
|
@hdhalter I can take this one |
…earch-project#2359 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com>
* adding a get started with security page #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * fixing vale errors #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * fixing vale errors #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding role configurations for users without kibanauser mapping #2359 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * updating the page layout for getting started with security #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Co-authored-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding additional details to getting started with security Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding additional details to getting started with security Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update security.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update security.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding link for existing docs for demo config Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Doc review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com>
* adding a get started with security page #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * fixing vale errors #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * fixing vale errors #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding role configurations for users without kibanauser mapping #2359 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * updating the page layout for getting started with security #6668 Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Apply suggestions from code review Co-authored-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding additional details to getting started with security Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding additional details to getting started with security Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update security.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Update security.md Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * adding link for existing docs for demo config Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> * Doc review Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nathan Bower <nbower@amazon.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> --------- Signed-off-by: AntonEliatra <anton.rubin@eliatra.com> Signed-off-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Naarcha-AWS <97990722+Naarcha-AWS@users.noreply.github.com> Co-authored-by: Nathan Bower <nbower@amazon.com> (cherry picked from commit f912f9d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Is your feature request related to a problem?
I believe this is mostly a documentation issue.
The underlying issue I was having was attempting to create a minimal set of permissions for my application to work, and encountered a problem similar to the one outlined here
I believe the underlying issue is that it is confusing that there are separate Cluster permissions and Index permissions, but applying the action group
cluster_allto Cluster permissions does not actually grant all for the permissions that may be necessary, adn that permissions prefixed withindices:or the action groupcluster_composite_ops(which one might assume was also part ofcluster_all!) may also need to be added.The example https://opensearch.org/docs/latest/security-plugin/access-control/users-roles/#set-up-a-bulk-access-role-in-opensearch-dashboards includes
cluster_composite_opsas a Cluster permission, but there's no description as to why.The definition of
cluster_allstatesGrants all cluster permissions., which would lead a reader to believe there are no other permissions that can be added on top of this as Cluster permissions. Thecluster_composite_opsdescription makes no mention that it actually appliesindicies:permissions, and that it would be necessary to add it Cluster perms. Additionally, the opensearch javascript client uses bulk operations for theindexmethod, even though that's not obviously a bulk operation from the name. This is compounded by the error messaging stating, for example,Reason: no permissions for [indices:data/write/bulk], which is confusing when a user has explicitly granted this permissions as an Index permission but not a Cluster permission.What solution would you like?
indices:permissions need to be added to Cluster permissions (I now know that I need to do this, but I still do not understand why).What alternatives have you considered?
n/a
Do you have any additional context?
n/a
The text was updated successfully, but these errors were encountered: