search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
191 stars 272 forks source link

Kibana index patterns & Custom Roles #142

Closed mkiran18 closed 2 years ago

mkiran18 commented 5 years ago

Hi @aetter ,

Kibana is not displaying any data for a pattern match, But works fine when full index name is selected under Management -> Index Patterns

role: 

{
  "index_permissions": [
    {
      "index_patterns": [
        "index1-45673-*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "kibana_all_read"
      ]
    }
  ],
  "tenant_permissions": [],
  "cluster_permissions": []
}

role mapping:

{
  "backend_roles": [],
  "hosts": [],
  "users": [
    "user"
  ]
}

user:

{
  "backend_roles": [
    "user-role",
    "kibanauser"
  ],
  "attributes": {},
  "password": ""
}

Kibana Index Patterns:

Below are the two kibana index patterns

  1. index1-45673-item1-2019-09-20 : Works fine
  2. index1-*-*-* : failes with error : Discover: no permissions for [indices:data/read/search] and User [name=user, roles=[user_role, kibanauser], requestedTenant=null]

Wild Card Pattern is not able to match to the index that role has permission to, but works fine with the exact index name.

Thanks

aetter commented 5 years ago

Hey @mkiran18, I'm actually not able to reproduce. Can you double-check the role and mapping?

On a more meta note, I'd recommend against tagging me on new issues unless it's specifically something that I've worked on. Other people on the team and in the community might assume that I'm "on it" and not chime in with more better, more timely information than I can provide. 😃

My role mapping

{
    "new-role": {
        "reserved": false,
        "hidden": false,
        "backend_roles": [],
        "hosts": [],
        "users": [
            "new-user"
        ],
        "and_backend_roles": []
    }
}

My role

{
    "new-role": {
        "reserved": false,
        "hidden": false,
        "cluster_permissions": [],
        "index_permissions": [
            {
                "index_patterns": [
                    "index1-*-*-*"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "read",
                    "kibana_all_read"
                ]
            }
        ],
        "tenant_permissions": [],
        "static": false
    }
}

My user

{
    "new-user": {
        "hash": "",
        "reserved": false,
        "hidden": false,
        "backend_roles": [],
        "attributes": {},
        "static": false
    }
}

The following queries all return results:

GET index1-*-*-*/_search
GET index1-45673-item1-2019-09-20/_search
GET index1-45673-*/_search
GET index1-45673-**/_search
mkiran18 commented 5 years ago

Hi @aetter ,

Apologies for tagging, i see that you are very active in security space of OD thought of tagging for quick check.

to your point , the issue is happening with elasticsearch API as well. Make your role 

{
    "new-role": {
        "reserved": false,
        "hidden": false,
        "cluster_permissions": [],
        "index_permissions": [
            {
                "index_patterns": [
                    "index1-45673-*"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "read",
                    "kibana_all_read"
                ]
            }
        ],
        "tenant_permissions": [],
        "static": false
    }
}

Create two indices , that matches the pattern. Ex: index1-45673-app1-2019-09-23 & index1-78965-app2-2019-09-23

And

try : GET index1-*/_search

API Error 

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "no permissions for [indices:data/read/search] and User [name=user, roles=[user-role, kibanauser], requestedTenant=null]"
            }
        ],
        "type": "security_exception",
         "reason": "no permissions for [indices:data/read/search] and User [name=user, roles=[user-role, kibanauser], requestedTenant=null]"
    },
    "status": 403
}

Error when used a as patterns , happen with index1-*-*-\ as well. image

With full index name rather than pattern : no issues and data is displayed.

image

The expectation is kibana will auto filter all other indices where the loggedin-user do not have permission to.

very similar to: https://discuss.elastic.co/t/kibana-defining-access-to-multi-customers-sharing-same-dashboard/158567

this was used in elasticsearch+kibana before , trying to replicate the same behaviour on Open Distro as well.

Thanks

aetter commented 5 years ago

Ah, I think I see. So the expected behavior here is that the security plugin filters out any indices that a) match your pattern and b) you don't have access to prior to performing the search? Is the description below an accurate summary of your concern?

Steps to reproduce:

  1. New role, index permissions of index1-45673-*, action group read, save.

  2. New user.

  3. Map new role to new user.

  4. Map kibana_user to new user.

  5. Create two indices:

    PUT index1-45673-app1-2019-09-23/_doc/1
{"some document": "and its data"}
    PUT index1-78965-app2-2019-09-23/_doc/1
{"some document": "and its data"}

  6. Log in to Kibana as the new user.

  7. Dev tools

    GET index1-45673-*/_search

    Success.

    GET index1-78965-*/_search

    Expected failure.

    GET index1-*/_search

    Failure. Expected behavior is that the search would still find documents in index1-45673-app1-2019-09-23, which the user has permissions to.

mkiran18 commented 5 years ago

Yup.... thats exactly what i am trying to achieve :)

I have followed the steps what i have done for xpack + elasticsearch, I am not sure if there are any different steps for Open distro as the security plugin is different in this case.

Thanks in advance.

aetter commented 5 years ago

Roger that. I'm worried that there's some fundamental architectural decision that explains why this feature doesn't work the way we expect, but I'll leave it to the development team to confirm/deny and classify as a bug or as-designed.

Adding @hardik-k-shah and @elfisher for their thoughts.

mkiran18 commented 5 years ago

Thanks .,., This feature enables to have one kibana/elastic index pattern for all the users but still have control on what they see based on the roles.

Otherwise we will have many different patterns in the kibana -> discover, Index pattern dropdown and when users switch they will see the error

image

And to mention maintenance of them is a tedious process.

mkiran18 commented 4 years ago

Hi, Any update ? just wanted to know if this is as per design or actually an issue.

kryadov commented 4 years ago

The same issue with No permissions for ... No index-level perm match for User [name= ... in elasticsearch.log. Opendistro 1.2.0.

bittu664 commented 4 years ago

yes, its an issue, simply by going to role server and add the index pattern which you want to show. just like this here ... kibana

vrozov commented 4 years ago

It is an expected behavior that when a kibana index pattern or a query pattern includes one or more indices that a user does not have necessary permission(s), the query fails with security exception. Note that security plugin does not do any query re-write and submits the original query pattern to ES for execution. Should that pattern include any index that the user does not have permission(s) for, it would be a security violation. It will be an enhancement request to support query re-write and I am not even sure that it is possible in all cases as an intersection of a query pattern and indices with granted permissions may be a disjoin set not easily expressed by a single index or by another index match pattern.

mkiran18 commented 4 years ago

Hi @vrozov , Thats an issue when we create one index pattern in kibana for shared users on the same tenancy . We ended up creating a lot of index patterns as work around to this security limitation and had to educate the users to switch to their specific pattern upon login.

Thanks for looking in to it.

vrozov commented 4 years ago

@mkiran18 roger-that. This is current design limitation and, afaik, there are no other workarounds other than to define different index patterns for different roles. Possibly kibana plugin can help by limiting user access to their specific index pattern(s).

Instead of query re-write we may try to filter out all documents for indices that a user does not have permission for during query execution, but that may impact performance, so we will have to see what option is the best. In any case, likely we will have to provide a configuration settings that will enable new behavior and keep the old behavior for users that are not affected by that limitation or prefer old behavior for any reason.

vrozov commented 4 years ago

There seems to be an option to enable the desired behavior. Please see do_not_fail_on_forbidden in kibana multi-tenancy

micheljung commented 3 years ago

I'm not sure if I'm experiencing the same or a different issue. I have a role like so:

my_role:
  reserved: true
  hidden: false
  cluster_permissions:
    - "cluster_composite_ops_ro"
  index_permissions:
    - index_patterns:
        - "logstash-*"
      allowed_actions:
        - "read"
  tenant_permissions:
    - tenant_patterns:
        - "global_tenant"
      allowed_actions:
        - "kibana_all_read"
  static: false

and plenty of indices like:

logstash-myapp-2021-01.25
logstash-myapp-2021-01.26
logstash-myapp-2021-01.27

In the Global tenant, I create an index pattern like so:

image

I expect that the user sees all of them. However, in the Discovery tab, the user sees nothing:

image

In the logs I get:

[2021-01-25T15:46:03,840][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:03,845][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:03,846][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/get]] [RolesChecked [my_role]]
[2021-01-25T15:46:03,846][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/get]
[2021-01-25T15:46:05,668][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,674][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com] java.lang.UnsupportedOperationException
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at java.base/java.util.Collections$UnmodifiableMap.put(Collections.java:1473)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:110)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:95)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:116)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:236)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:318)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
[2021-01-25T15:46:05,674][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:318)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:372)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2021-01-25T15:46:05,675][WARN ][stderr                   ] [odfe.example.com]     at java.base/java.lang.Thread.run(Thread.java:832)
[2021-01-25T15:46:05,693][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:05,696][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,246][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,250][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,327][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,333][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,335][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana, .kibana_2], remoteIndices=[]] [Action [indices:data/read/mget[shard]]] [RolesChecked [my_role]]
[2021-01-25T15:46:06,335][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/mget[shard]]
[2021-01-25T15:46:06,440][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,444][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:46:06,445][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No index-level perm match for User [name=MyUser, backend_roles=[****], requestedTenant=] Resolved [aliases=[.kibana], allIndices=[.kibana_2], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [my_role]]
[2021-01-25T15:46:06,445][INFO ][c.a.o.s.p.PrivilegesEvaluator] [odfe.example.com] No permissions for [indices:data/read/search]

When I change the permissions to:

  index_permissions:
    - index_patterns:
        - "*"

it works:

image

and in the logs I get:

[2021-01-25T15:48:39,499][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:39,518][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,433][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,435][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com] java.lang.UnsupportedOperationException
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at java.base/java.util.Collections$UnmodifiableMap.put(Collections.java:1473)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:110)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.dlic.rest.api.PermissionsInfoAction$1.accept(PermissionsInfoAction.java:95)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:115)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.filter.OpenDistroSecurityRestFilter$1.handleRequest(OpenDistroSecurityRestFilter.java:116)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:236)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.tryAllHandlers(RestController.java:318)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:176)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at com.amazon.opendistroforelasticsearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:318)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:372)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:308)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:42)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:28)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at org.elasticsearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:58)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:324)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1518)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:615)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:578)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
[2021-01-25T15:48:41,436][WARN ][stderr                   ] [odfe.example.com]     at java.base/java.lang.Thread.run(Thread.java:832)
[2021-01-25T15:48:41,459][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,464][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,987][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:41,994][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,060][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,063][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-01-25T15:48:42,159][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe.example.com] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
DanielHabenicht commented 3 years ago

@vrozov is right.

In order to ignore indices the user has no permission to you can set do_not_fail_on_forbidden: true in your plugins/opendistro_security/securityconfig/config.yml

davidlago commented 2 years ago

Closing as do_not_fail_on_forbidden addresses this issue's use case.