Missing Role/Permission for PPL may block access for non-admin user

[zhongnansu]

In the latest release, we merged in this commit, which adds the transport layer support for PPL. While creating the TransportPPLQueryAction, a "NAME" is required in its constructor, that has 2 purposes.

1. It helps a node to know which TransportAction class should be executed.
2. Also, this name is the permission, used in the context of security plugin, to filter what users can and can not do. https://github.com/opensearch-project/sql/blob/45d84d005ebbca8bb88e3cff48327131f35cb6e6/plugin/src/main/java/org/opensearch/sql/plugin/transport/PPLQueryAction.java#L12

The issue with the change is. If a user doesn't have "cluster:admin/opensearch/ppl" permission, he/she won't be able to query OpenSearch using PPL. A lack of permission error will show. Noticed that previously, PPL doesn't require any permission to conduct a search.

• "cluster:admin/opensearch/ppl" is not pre-defined in security plugin, and is not attached to any pre-defined roles.
• Noticed that Admin user with all_access role won't have the issue. Because the all_access role has access to all "cluster permissions", that is basically any permission string defined as cluser:*
• Non admin user that using PPL may have issue. See next section for the workaround.
• This may lead to a even broader discussion on if we want to add any layer of permission control for PPL/SQL user

Workaround

1. Ask admin user to manually create one cluster permission called cluster:admin/opensearch/ppl from either OSD security UI or using security Rest API,
2. As admin, assign the permission to any user/role that needs to query PPL

Proposed solution

• [ ] Update PPL doc to inform user to make changes to add permission to the user they want to use
• [ ] #764

[zhongnansu]

I also wonder if we should just revert this commit in a patch release, since requiring a new permission that doesn't exist before seems like a breaking change. Let me know what you think. @penghuo

[kristenTian]

What does PPL stands for?

[dai-chen]

Here is the user manual for your reference: https://github.com/opensearch-project/sql/blob/main/docs/user/ppl/index.rst

[penghuo]

Add docs. https://github.com/opensearch-project/sql/pull/777

[penghuo]

Backport to 2.1. https://github.com/opensearch-project/sql/pull/778

[penghuo]

I also wonder if we should just revert this commit in a patch release, since requiring a new permission that doesn't exist before seems like a breaking change. Let me know what you think. @penghuo

Since this feature has been release in 2.2. Patch release does not solve the problem. We will backport this feature to 2.1 and add docs to in PPL.

[robsliwi]

Struggling with the manual addition of cluster:admin/opensearch/ppl in the UI mentioned in the workaround, getting the following message:

{
  "error": {
    "reason": "Error occurred in OpenSearch engine: no permissions for [indices:admin/mappings/get] and User [name=viewer, backend_roles=[kibana_user, re_viewer], requestedTenant=]",
    "details": "org.opensearch.OpenSearchSecurityException: no permissions for [indices:admin/mappings/get] and User [name=viewer, backend_roles=[kibana_user, re_viewer], requestedTenant=]\nFor more details, please send request for Json format to see the raw response from OpenSearch engine.",
    "type": "OpenSearchSecurityException"
  },
  "status": 403
}

Checked the user and both mentioned roles, all have the permission indices:admin/mappings/get. Any other way to debug here? Am I doing something wrong?

EDIT/UPDATE: Got it figured out, the particular role that threw the error here was missing index permissions for admin/mappings/get and monitor/settings/get to run PPL queries.

[dai-chen]

@robsliwi Thank you for reporting the issue! Have you figured out? From the error message, the user seems still missing permission.