Open franco-caylent opened 1 month ago
[Triage] Thank you for filing this issue @franco-caylent! I don't see that action listed in the security-dashboards-plugin here which is where the dropdown is being population. The ISM permissions should be added to the dropdown to allow an admin to assign these permissions through a page in OSD.
Thank you for the quick response! Im sorry but I don't understand if there's anything I should be doing or if this will remain open until someone fixes it. On another subject, why would changing the description of the policy as admin fix the issue?
@franco-caylent It will stay open until a PR is merged in security-dashboards-plugin to add the missing permissions to the dropdown.
To resolve your issue, can you add the missing permissions to the cluster-monitor
role using the API or securityadmin?
Absolutely. Thank you!
On Mon, Jul 15, 2024, 12:13 Craig Perkins @.***> wrote:
@franco-caylent https://github.com/franco-caylent It will stay open until a PR is merged in security-dashboards-plugin https://github.com/opensearch-project/security-dashboards-plugin to add the missing permissions to the dropdown.
To resolve your issue, can you add the missing permissions to the cluster-monitor role using the API https://opensearch.org/docs/latest/security/access-control/api/#patch-role or securityadmin https://opensearch.org/docs/latest/security/configuration/security-admin/ ?
— Reply to this email directly, view it on GitHub https://github.com/opensearch-project/security/issues/4559#issuecomment-2229204383, or unsubscribe https://github.com/notifications/unsubscribe-auth/AUIZHVPHDY3TWK5RDYJ7RDLZMQNMPAVCNFSM6AAAAABK3A6VVCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRZGIYDIMZYGM . You are receiving this because you were mentioned.Message ID: @.***>
What is the bug? When a policy is applied through the API using a custom role it is created but its not applied. Upon modifying the description of the policy as admin using the web UI, I rollover the alias and it works.
The software in use is this one
After the role is created, the following event shows up in the logs:
[2024-07-14T08:27:28,259][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch01] No index-level perm match for User [name=plugin, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[cluster-monitor-000001], types=[*], originalRequested=[cluster-monitor-000001], remoteIndices=[]] [Action [indices:admin/opensearch/ism/managedindex]] [RolesChecked [cluster-monitor, own_index]]
but I cant seem to add those permissions using the UI.It might be related to https://github.com/opensearch-project/security/issues/2523
How can one reproduce the bug? Steps to reproduce the behavior:
volumes: opensearch-data1: opensearch-data2:
networks: opensearch-net:
PUT _plugins/_security/api/roles/cluster-monitor { "cluster_permissions": [ "cluster:monitor/health", "cluster:monitor/stats", "cluster:monitor/nodes/stats", "cluster:monitor/nodes/info", "cluster:admin/opendistro/ism/policy/write", "indices:admin/index_template/put" ], "index_permissions": [{ "index_patterns": [ "cluster-monitor" ], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": [ "index", "create_index" ] },{ "index_patterns": [ "" ], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": [ "indices:admin/aliases/get", "indices:admin/aliases", "indices:admin/create" ] }], "tenant_permissions": [{ "tenant_patterns": [ "human_resources" ], "allowed_actions": [ "kibana_all_read" ] }] }
2024-07-14 09:10:07,683 INFO Startup 2024-07-14 09:10:07,684 INFO Validating configurations ------------ Opensearch Cluster Monitor------------ Origin Cluster Endpoint: opensearch:9200 Destination Index: opensearch:9200/cluster-monitor Frequency: 30 SSL Verification: False ------------ Opensearch Cluster Monitor------------
2024-07-14 09:10:07,692 INFO Setting up index template 2024-07-14 09:10:08,058 INFO Setting up index policy 2024-07-14 09:10:08,209 INFO Setting up alias 2024-07-14 09:10:08,330 INFO Starting Monitor 2024-07-14 09:10:08,405 INFO Logging cluster_health 2024-07-14 09:10:08,567 INFO Logging cluster_stats 2024-07-14 09:10:08,736 INFO Logging node 2024-07-14 09:10:08,898 INFO Logging node_stats
[2024-07-14T09:18:12,906][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No index-level perm match for User [name=plugin, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[cluster-monitor-000001], types=[*], originalRequested=[cluster-monitor-000001], remoteIndices=[]] [Action [indices:admin/opensearch/ism/managedindex]] [RolesChecked [cluster-monitor, own_index]] [2024-07-14T09:18:12,906][INFO ][o.o.s.p.PrivilegesEvaluator] [opensearch-node1] No permissions for [indices:admin/opensearch/ism/managedindex]