search

opensearch-project / security

πŸ” Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
180 stars 264 forks source link

[BUG] Even though it is not a system index, document cannot be searched due to a bug #4429

Closed 10000-ki closed 2 weeks ago

10000-ki commented 3 weeks ago

What is the bug?

plugins.security.system_indices.enabled: true
plugins.security.system_indices.permission.enabled: true

After enabling the system index-related settings

Documents in normal indexes, which are not system indexes, cannot be queried. The reason is that when the plugins.security.system_indices.permission.enabled condition is enabled the SecurityIndexSearcherWrapper checks for the system:admin/system_index permission for all indexes, regardless of whether they are system indexes or not.

now we resolve this issue, it is necessary to grant the system:admin/system_index permission to regular users as well. This can be done as follows:

normal_user:
  reserved: false
  hidden: false
  cluster_permissions:
    - "*"
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "*"
        - "system:admin/system_index"

However, this does not seem to be an good solution.

How can one reproduce the bug?

1. Starting OpenSearch with system index settings enabled.

plugins.security.system_indices.enabled: true
plugins.security.system_indices.permission.enabled: true
plugins.security.system_indices.indices: [".plugins-ml-model", ".plugins-ml-task", ".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opensearch-notifications-*", ".opensearch-notebooks", ".opensearch-observability", ".ql-datasources", ".opendistro-asynchronous-search-response*", ".replication-metadata-store", ".opensearch-knn-models"]

2. create index & document with normal user account

    user:
      reserved: false
      hidden: false
      cluster_permissions:
        - "*"
      index_permissions:
        - index_patterns:
            - "*"
          allowed_actions:
            - "*"
PUT http://localhost:9200/test-index/_doc/1

{
    "foo": "bar"
}

{
    "_index": "test-index",
    "_id": "1",
    "_version": 1,
    "result": "created",
    "_shards": {
        "total": 2,
        "successful": 1,
        "failed": 0
    },
    "_seq_no": 0,
    "_primary_term": 1
}

=> Document was created well.

3. Searching documents with a user account that does not have system index permissions.

    user:
      reserved: false
      hidden: false
      cluster_permissions:
        - "*"
      index_permissions:
        - index_patterns:
            - "*"
          allowed_actions:
            - "*"
GET http://localhost:9200/test-index/_search

{
    "took": 11,
    "timed_out": false,
    "_shards": {
        "total": 1,
        "successful": 1,
        "skipped": 0,
        "failed": 0
    },
    "hits": {
        "total": {
            "value": 0,
            "relation": "eq"
        },
        "max_score": null,
        "hits": []
    }
}

=> Documents cannot be searched.

What is the expected behavior? System index permission checks should be limited to system indexes only. Indexes that are not system indexes should be queryable without permission checks.

What is your host/environment?

Do you have any screenshots?

스크란샷 2024-06-11 α„‹α…©α„Œα…₯ᆫ 1 04 25

스크란샷 2024-06-11 α„‹α…©α„Œα…₯ᆫ 1 04 38

스크란샷 2024-06-11 α„‹α…©α„Œα…₯ᆫ 1 05 20

Do you have any additional context? Add any other context about the problem.

scrawfor99 commented 2 weeks ago

[Triage] This issue has been addressed by a merged PR. It should be fixed by the 2.16 release.