anomaly-detection icon indicating copy to clipboard operation
anomaly-detection copied to clipboard

Published 20 hours ago verified publisher icon opendistro-for-elasticsearch

Missing permission: cluster:admin/opendistro/ad/detector/info

Open Ricaz opened this issue 4 years ago • 3 comments

When creating a detector in Anomaly Detection, I get and error that I don't have permissions for "[cluster:admin/opendistro/ad/detector/info]".

I have a role containing these cluster permissions:

  • cluster:admin/opendistro/ad/detector/delete
  • cluster:admin/opendistro/ad/detector/jobmanagement
  • cluster:admin/opendistro/ad/detector/run
  • cluster:admin/opendistro/ad/detector/search
  • cluster:admin/opendistro/ad/detector/stats
  • cluster:admin/opendistro/ad/detector/write
  • cluster:admin/opendistro/ad/result/search
  • cluster:admin/opendistro/ad/detectors/get

When I go to add the missing permission to the role, the GUI says it doesn't exist (can't auto-complete in the Cluster Permissions field).

What gives? Do I need to run securityadmin.sh again, and will that override my current configuration?

Ricaz avatar Dec 07 '20 12:12 Ricaz

I was able to add the permission to my role through the API, but I still think the permission should be auto-completeable. Also, why is one of them called /detectors while the rest are /detector?

The API didn't work as documented, though. I used the PATCH _opendistro/_security/api/roles/<role> API, which for some ungodly reason wants a raw JSON array without enclosing {} braces. I sent:

PATCH _opendistro/_security/api/roles/anomaly_detectors
[
  {
    "op": "add", "path": "/cluster_permissions", "value": ["cluster:admin/opendistro/ad/detector/info"]
  }
]

But this removed all the other permissions. I had to include them all in the API request. Also a bit annoying that the Dev Tools console treats PATCH as a syntax error.

Ricaz avatar Dec 07 '20 15:12 Ricaz

Taking a look.. Can you add create a role with "cluster:admin/opendistro/ad/detector/info" cluster permissions? You can do something like and map the user to the role: curl -XPUT -u admin:admin --insecure https://localhost:9200/_opendistro/_security/api/roles/ad_all_access -H 'Content-Type:application/json' -d'{ "cluster_permissions": [ "cluster:admin/opendistro/ad/detector/info", "cluster_monitor" ], "index_permissions": [ { "index_patterns": [ "*" ], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": [ "indices_monitor", "indices:admin/aliases/get", "indices:admin/mappings/get" ] } ], "tenant_permissions": [] }'

I see we didnt add the new info API into the security UI. I'll send out a PR to take care of that.

saratvemulapalli avatar Dec 18 '20 07:12 saratvemulapalli

PR: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/pull/653

saratvemulapalli avatar Dec 18 '20 07:12 saratvemulapalli