opensearch-project
[BUG]403 forbidden when trying to retrieve an alias using aliasname with an internal user that is mapped to a role with a restrictive index pattern
What is the bug?
Getting 403 forbidden when trying to use an internal user that is mapped to a role with a restrictive index pattern.
Please refer - https://forum.opensearch.org/t/getting-403-forbidden-when-trying-to-use-an-internal-user-that-is-mapped-to-a-role-with-a-restrictive-index-pattern/16928
How can one reproduce the bug? Steps to reproduce the behavior:
-
After connecting to AWS Opensearch dashboard url (present inside VPC) via tunneling , created internal user, role and mapped internal user to the role with permission at index level (index_all) and cluster level access (cluster_monitor) on the specified index pattern (indexname)
-
But now on using the internal user credentials through a re-provisioning (instead of a master/admin user with which the opensearch cluster was spawn) on an existing environment , pods keep crashing leading to continuous restarts. On investigating the kubectl pod logs , observed that 403 forbidden error comes up when trying to use an internal user (to create index / access alias) that is mapped to a role with a restrictive index pattern .
Please note this error goes away when index pattern is set to * (open ended)
What is the expected behavior?
Internal user should be able to perform all operations (indices_all index level permission) on a specified index pattern
What is your host/environment?
- AWS-Opensearch service (engine version - 2.5)
Do you have any screenshots?
curl -X GET "https://XXXXX.us-east-1.es.amazonaws.com:8086/_aliases" -H 'Content-Type: application/json' -k -u indexname:XXXXXX11
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=indexname, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=indexname, backend_roles=[], requestedTenant=null]"},"status":403}%
Do you have any additional context?
[Triage] Thank you for filing this issue @AnanyaBanerjee01. Could you provide details about how to reproduce outside the managed offering? Is the user assigned to a role with a cluster permission for getting aliases indices:admin/aliases/get?
@cwperks , Internal user was created and a role was assigned to it (cluster permission set to cluster_all and index permission set to a specific available index and indices_all)
PFB the screenshots
Moreover as per the documentation , https://opensearch.org/docs/latest/security/access-control/default-action-groups/ ,
cluster_all | Grants all cluster permissions. Equates to cluster:. indices_all | Grants all permissions on the index. Equates to indices:.
Please note that we want to leverage only an internal user to have full access on the specified index (hence do not want to grant open ended access to all indexes). Even tried to grant indices:admin/aliases/get as part of the cluster permission but getting same 403 error.
Also using CURL , tried to replicate the error -
curl -X GET "https://XXXXX.us-east-1.es.amazonaws.com:8086/_aliases" -H 'Content-Type: application/json' -k -u hxpr-hxcs-2703:XXXXXX11
{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=hxpr-hxcs-2703, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=hxpr-hxcs-2703, backend_roles=[], requestedTenant=null]"},"status":403}%
@AnanyaBanerjee01 Do you know the name of the concrete index? A user with index pattern restrictions can request the aliases for a particular concrete index like this:
> curl -XGET https://<username>:<password>@localhost:9200/<conrete-index>/_alias -k
{"movies":{"aliases":{"movies1":{}}}}
A user who does not have permission on * index pattern cannot list all aliases.
@cwperks ,Thanks for that info ! Yes, I was able to retrieve the alias for a specific index (which the internal user has index level access to ) -
Ananya.Banerjee@APL-dyyknqyw5f ~ % curl -X GET "https://XXXXXXXes.amazonaws.com:8086/hxpr-hxcs-2703/_alias" -H 'Content-Type: application/json' -k -u hxpr-hxcs-2703:XXXXXXX
{"hxpr-hxcs-2703":{"aliases":{}}}
I think the 403 error makes sense to me now , when I tried to invoke the /_aliases endpoint . I am assuming this(A user who does not have permission on * index pattern cannot list all aliases.) behavior is consistent across all versions of opensearch - including the latest 2.9 ?
Also can you confirm if an internal user who does not have permission on * index , can it query its own alias (on alias name) ? Its mentioned in the docs that an alias is a virtual index name that can point to one or more indexes.(https://opensearch.org/docs/latest/im-plugin/index-alias/#manage-aliases)
I get 403 when I try to search an alias with an alias name .
Please see below -
Ananya.Banerjee@APL-dyyknqyw5f ~ % curl -X GET "https://XXXXXX.es.amazonaws.com:8086/_alias/hxpr-hxcs-2703" -H 'Content-Type: application/json' -k -u hxpr-hxcs-2703:XXXXX
_{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=hxpr-hxcs-2703, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/aliases/get] and User [name=hxpr-hxcs-2703, backend_roles=[], requestedTenant=null]"},"status":403}
https://github.com/opensearch-project/security/issues/3790#issuecomment-1844708025 , any pointers on this ?