search

opensearch-project / security

🔐 Secure your cluster with TLS, numerous authentication backends, data masking, audit logging as well as role-based access control on indices, documents, and fields
https://opensearch.org/docs/latest/security-plugin/index/
Apache License 2.0
189 stars 271 forks source link

[BUG] Backend role mapping is not found by AWS resource if deployed via api #4595

Closed alwashali closed 1 month ago

alwashali commented 1 month ago

Describe the bug

If a role is deployed manually via UI AWS lambda will identify the role and permission if the role is created via API, such as dev tool, lambda will always throws below error

{'type': 'security_exception', 'reason': 'no permissions for [indices:data/write/delete/byquery] and User [name=arn:aws:iam::111111111111111:role/lambdaOpenSearchRole, backend_roles=[arn:aws:iam::111111111111111:role/lambdaOpenSearchRole], requestedTenant=null]'}], 'type': 'security_exception', 'reason': 'no permissions for [indices:data/write/delete/byquery] and User [name=arn:aws:iam::111111111111111:role/lambdaOpenSearchRole, backend_roles=[arn:aws:iam::111111111111111:role/lambdaOpenSearchRole], requestedTenant=null]'}, 'status': 403}

Related component

Plugins

To Reproduce

  1. Create a role via API (dev tool)
  2. Map the role to a backend role to AWS role via API
  3. Test with a lambda python code for any simple task such as getting a document by ID

PUT _plugins/_security/api/roles/test_role
{
  "cluster_permissions": [
    "cluster_all",
    "indices:data/write/bulk",
    "indices:data/write/bulk*",
    "indices:data/read/scroll",
    "indices:data/read/scroll/clear"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "delete",
        "indices:data/write/delete/byquery",
        "crud",
        "write",
        "data_access"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_write"
      ]
    }
  ]
}

PUT _plugins/_security/api/rolesmapping/test_role
{
  "backend_roles": [
    "arn:aws:iam::111111111111:role/lambdaOpenSearchRole"
  ]
}```

### Expected behavior

Lambda should be allowed to execute the operation with the authorisation of the mapped role regardless whether it's created via API or UI. 

### Additional Details

**Plugins**
 analysis-ik                          2.11.0
 analysis-icu                         2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Host/Environment (please complete the following information):**
 - OS: [AWS managed Opensearch]
 - Version [ v 2.11.0]

**Additional context**
Add any other context about the problem here.
peternied commented 1 month ago

[Triage - attendees 1 2] @alwashali Thanks for creating this issue, it looks like this is related to the security plugin, I'm going to transfer this issue to that repository. Note; it looks like you are using AWS' OpenSearch service, I would recommend creating a support ticket with them for a faster/ more complete response.

stephen-crawford commented 1 month ago

[Triage] Hi @alwashali, thanks for filing this issue. This looks like an AWS OpenSearch Service question. Unfortunately, we are unable to provide support for these issues as this project is for the open-source code base. Please contact your AWS service team or file a support ticket for this issue.