search

opensearch-project / index-management

🗃 Automate periodic data operations, such as deleting indices at a certain age or performing a rollover at a certain size
https://opensearch.org/docs/latest/im-plugin/index/
Apache License 2.0
53 stars 111 forks source link

[BUG] Dashboards tries to access `.opendistro_security` on data stream page #1120

Open vchirikov opened 7 months ago

vchirikov commented 7 months ago

Describe the bug

The dashboards fetches /_data_stream/**/_stats?human=true which tries to access to security protected index .opendistro_security. As you can see from opensearch-node log I already give max permissions to admin (all_access/full_access roles with indices:monitor/data_stream/stats) but it's not enough.

{"type":"response","@timestamp":"2024-02-27T14:57:24Z","tags":[],"pid":1,"method":"post","statusCode":200,"req":{"url":"/api/ism/apiCaller","method":"post","headers":{"host":"xxxx","content-length":"81","sec-ch-ua":"\"Not.A/Brand\";v=\"8\", \"Chromium\";v=\"114\", \"Google Chrome\";v=\"114\"","dnt":"1","sec-ch-ua-mobile":"?0","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","osd-version":"2.12.0","content-type":"application/json","osd-xsrf":"osd-fetch","sec-ch-ua-platform":"\"Windows\"","accept":"*/*","origin":"https://xxxx","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","referer":"https://xxxx/logs/app/opensearch_index_management_dashboards","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,ru;q=0.8","x-forwarded-proto":"http","x-real-ip":"xxxx","traceparent":"00-9d2c96465d0e4df9845a46edb479e439-d7a52d99fae94c2f-03","x-forwarded-for":"xxxx"},"remoteAddress":"xxxx","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36","referer":"https://xxxx/logs/app/opensearch_index_management_dashboards"},"res":{"statusCode":200,"responseTime":39,"contentLength":9},"message":"POST /api/ism/apiCaller 200 39ms - 9.0B"}
Index Management - CommonService - apiCaller StatusCodeError: [security_exception] no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]
    at respond (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:529:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1400:12)
    at processTicksAndRejections (node:internal/process/task_queues:82:21) {
  status: 403,
  displayName: 'AuthorizationException',
  path: '/_data_stream/**/_stats?human=true',
  query: undefined,
  body: {
    error: {
      root_cause: [Array],
      type: 'security_exception',
      reason: 'no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]'
    },
    status: 403

OpenSearch Version 2.12.0

Dashboards Version 2.12.0

Plugins

All bundled plugins

Screenshots

image

OpenSearch node logs:

[2024-02-27T15:02:25,865][INFO ][o.o.s.p.SecurityIndexAccessEvaluator] [opensearch-node-1] indices:admin/data_stream/get not permitted for a regular user roles=[
  all_access
    ipatterns=[
        indexPattern=*
          dlsQuery=null
          fls=[]
          perms=[*]]
    clusterPerms=*, 
  own_index
    ipatterns=[
        indexPattern=${user_name}
          dlsQuery=null
          fls=[]
          perms=[indices:*]]
    clusterPerms=[indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, indices:data/read/msearch, indices:data/read/scroll, indices:admin/resolve/index, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mget, indices:data/read/mtv], 
  full_access
    ipatterns=[
        indexPattern=*
          dlsQuery=
          fls=[]
          perms=[system:admin/system_index, indices:admin/data_stream/*, indices:admin/data_stream/get, indices:admin/resolve/index, indices:admin/mapping/put, indices:*, indices:data/*, *, indices:monitor/data_stream/stats, indices:data/write*, indices:admin/mappings/fields/get*, indices:data/read*], 
        indexPattern=.opendistro_security
          dlsQuery=
          fls=[]
          perms=[system:admin/system_index, indices:admin/data_stream/*, indices:admin/data_stream/get, indices:admin/resolve/index, indices:admin/mapping/put, indices:*, indices:data/*, *, indices:monitor/data_stream/stats, indices:data/write*, indices:admin/mappings/fields/get*, indices:data/read*]]
    clusterPerms=[indices:data/read/msearch, cluster:admin/component_template/*, indices:admin/resolve/index, *, indices:admin/index_template/*, indices:data/read/mget, cluster:admin/snapshot/*, indices:data/write/reindex, indices:admin/aliases/exists*, indices:admin/aliases*, cluster:*, indices:data/read/scroll, cluster:admin/ingest/pipeline/*, indices:admin/template/*, indices:data/write/bulk, indices:admin/aliases/get*, indices:data/read/mtv, cluster:monitor/*, cluster:admin/repository/*]] on protected system indices .opendistro_security
abbyhu2000 commented 7 months ago

@opensearch-project/admin transfer to ISM, thanks!

dblock commented 3 months ago

Catch All Triage - 1 2 3 4 5