π Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
Documents in normal indexes, which are not system indexes, cannot be queried.
The reason is that when the plugins.security.system_indices.permission.enabled condition is enabled
the SecurityIndexSearcherWrapperchecks for the system:admin/system_index permission for all indexes, regardless of whether they are system indexes or not.
now we resolve this issue, it is necessary to grant the system:admin/system_index permission to regular users as well. This can be done as follows:
What is the expected behavior?
System index permission checks should be limited to system indexes only.
Indexes that are not system indexes should be queryable without permission checks.
What is your host/environment?
OS: Linux, MacOS
Version
Plugins
Security Plugin
Do you have any screenshots?
Do you have any additional context?
Add any other context about the problem.
What is the bug?
After enabling the system index-related settings
Documents in normal indexes, which are not system indexes, cannot be queried. The reason is that when the
plugins.security.system_indices.permission.enabled
condition is enabled theSecurityIndexSearcherWrapper
checks for thesystem:admin/system_index
permission for all indexes, regardless of whether they are system indexes or not.now we resolve this issue, it is necessary to grant the
system:admin/system_index
permission to regular users as well. This can be done as follows:However, this does not seem to be an good solution.
How can one reproduce the bug?
1. Starting OpenSearch with system index settings enabled.
2. create index & document with normal user account
user:user
=>
Document was created well.
3. Searching documents with a user account that does not have system index permissions.
user:user
=>
Documents cannot be searched.
What is the expected behavior? System index permission checks should be limited to system indexes only. Indexes that are not system indexes should be queryable without permission checks.
What is your host/environment?
Do you have any screenshots?
Do you have any additional context? Add any other context about the problem.