search

jaegertracing / jaeger

CNCF Jaeger, a Distributed Tracing Platform
https://www.jaegertracing.io/
Apache License 2.0
20.41k stars 2.44k forks source link

Document the required permissions for Opensearch #3727

Open ThelonKarrde opened 2 years ago

ThelonKarrde commented 2 years ago

Requirement - what kind of business use case are you trying to solve?

Technically this is the copy of the request https://github.com/jaegertracing/jaeger/issues/1691 but for Opensearch as a backend.

Since the permission model of OpenSearch is a little different from the Elasticsearch it's hard to use templates from the issue above even that they are helpful.

Problem - what in Jaeger blocks you from solving the requirement?

At the moment I'm getting error:

Error: failed to query indices: request failed, status code: 403, body: {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/get] and User [name=elastic-jaeger, bac
kend_roles=[jaeger_writer], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/get] and User [name=elastic-jaeger, backend_roles=[jaeger_writer], requestedTenant=
null]"},"status":403}

Despite I do have that permission in the role attached to the user:

{
  "cluster_permissions": [
    "monitor",
    "manage_index_templates",
    "cluster:monitor/main",
    "indices:admin/template/put",
    "indices:data/write/bulk",
    "indices:data/read/msearch",
    "indices:admin/get"
  ],
  "index_permissions": [
    {
      "index_patterns": ["*jaeger*"],
      "allowed_actions": [
        "indices:admin/create",
        "indices:admin/data_stream/create",
        "indices:data/write/*",
        "indices:monitor/*",
        "indices:admin/delete",
        "indices:data/read/*",
        "indices:admin/template/*",
        "indices:admin/index_template/",
        "incices:admin/get",
        "incices:admin/get*"
      ]
    }
  ]
}

Proposal - what do you suggest to solve the problem or improve the existing situation?

It would be nice to have a documentation for OpenSearch with which sets of permission it requires based on opensearch model: https://opensearch.org/docs/latest/security-plugin/access-control/permissions/

Any open questions to address

ThelonKarrde commented 2 years ago

I manage to find a version that seems to be working for me, but anyway it would be nice to have it documented somehow:

{
  "description": "Jaeger permissions",
  "cluster_permissions": [
    "cluster:monitor/main",
    "indices:data/write/bulk",
    "indices:data/read/msearch",
    "indices:admin/template/put"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "*jaeger-*"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "*"
      ]
    },
    {
      "index_patterns": [
        "*"
      ],
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "indices:admin/aliases/get",
        "indices_monitor"
      ]
    }
  ]
}