reporting icon indicating copy to clipboard operation
reporting copied to clipboard
verified publisher icon opensearch-project

[BUG] Can't create reporting indices due to permission issue

Open maxemontio opened this issue 1 year ago • 11 comments

Describe the bug

Hi everyone!

I am facing problems with creating reports. Logs say that i have permissions errors, but it happens even with all_access role mapped, which makes no sense. We use oidc to access dashboards.

This is the role for regular users:

{
  "osd-reader": {
    "reserved": false,
    "hidden": false,
    "cluster_permissions": [
      "cluster:admin/opensearch/observability/get",
      "cluster:admin/opendistro/reports/definition/list",
      "indices:data/read/mget*",
      "cluster:admin/opensearch/ql/datasources/read",
      "indices:data/write/bulk",
      "cluster:admin/opendistro/reports/menu/download",
      "cluster:admin/opendistro/reports/instance/list",
      "cluster:admin/opendistro/reports/definition/create",
      "cluster:admin/opendistro/reports/definition/update",
      "cluster:admin/opendistro/reports/definition/on_demand",
      "cluster:admin/opendistro/reports/definition/get",
      "cluster:admin/opendistro/reports/instance/get",
      "cluster:admin/opendistro/reports/definition/delete"
    ],
    "index_permissions": [
      {
        "index_patterns": [
          ".kibana_*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "write",
          "read",
          "indices:admin/create"
        ]
      },
      {
        "index_patterns": [
          "*"
        ],
        "dls": "",
        "fls": [],
        "masked_fields": [],
        "allowed_actions": [
          "read",
          "search",
          "get",
          "indices:admin/create"
        ]
      }
    ],
    "tenant_permissions": [],
    "static": false
  }
}

and it's rolemapping:

{
  "osd-reader": {
    "hosts": [],
    "users": [
      "osd-reader"
    ],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "osd-reader"
    ],
    "and_backend_roles": []
  }
}

When i go to the saved searches, then to Reporting and there Generate CSV i get Insufficient permissions error in UI and that log on a master node:

[2024-05-06T08:58:18,251][INFO ][o.o.s.p.SecurityIndexAccessEvaluator] [master-1] No indices:admin/create permission for user roles roles=[
  osd-reader
    ipatterns=[
        indexPattern=.kibana_*
          dlsQuery=
          fls=[]
          perms=[indices:admin/mapping/put, indices:admin/resolve/index, indices:data/write*, indices:admin/create, indices:admin/mappings/fields/get*, indices:data/read*],
        indexPattern=*
          dlsQuery=
          fls=[]
          perms=[indices:data/read/msearch*, indices:data/read/get*, indices:admin/resolve/index, indices:data/read/search*, indices:data/read/suggest*, indices:data/read/mget*, indices:admin/create, indices:admin/mappings/fields/get*, indices:data/read*]]
    clusterPerms=[cluster:admin/opendistro/reports/definition/create, cluster:admin/opensearch/observability/get, cluster:admin/opensearch/ql/datasources/read, cluster:admin/opendistro/reports/definition/list, indices:data/read/mget*, cluster:admin/opendistro/reports/instance/list, cluster:admin/opendistro/reports/definition/on_demand, cluster:admin/opendistro/reports/definition/update, cluster:admin/opendistro/reports/definition/delete, cluster:admin/opendistro/reports/menu/download, cluster:admin/opendistro/reports/definition/get, indices:data/write/bulk, cluster:admin/opendistro/reports/instance/get]] to System Indices .opendistro-reports-instances
[2024-05-06T08:58:18,253][WARN ][o.o.r.a.PluginBaseAction ] [master-1] reports:OpenSearchStatusException: message:no permissions for [] and User [name=max, backend_roles=[osd-reader], requestedTenant=null]

The same happens with the all_access role, we just map it with our backend_role for admins:

  "all_access": {
    "hosts": [],
    "users": [
      "admin" 
    ],
    "reserved": false,
    "hidden": false,
    "backend_roles": [
      "osd-admin"
    ],
    "and_backend_roles": []
  }

The error:

[2024-05-06T09:09:39,849][INFO ][o.o.s.p.SecurityIndexAccessEvaluator] [master-1] No indices:admin/create permission for user roles roles=[
  all_access
    ipatterns=[
        indexPattern=*
          dlsQuery=null
          fls=[]
          perms=[*]]
    clusterPerms=*,
  osd-reader
    ipatterns=[
        indexPattern=.kibana_*
          dlsQuery=
          fls=[]
          perms=[indices:admin/mapping/put, indices:admin/resolve/index, indices:data/write*, indices:admin/create, indices:admin/mappings/fields/get*, indices:data/read*],
        indexPattern=*
          dlsQuery=
          fls=[]
          perms=[indices:data/read/msearch*, indices:data/read/get*, indices:admin/resolve/index, indices:data/read/search*, indices:data/read/suggest*, indices:data/read/mget*, indices:admin/create, indices:admin/mappings/fields/get*, indices:data/read*]]
    clusterPerms=[cluster:admin/opendistro/reports/definition/create, cluster:admin/opensearch/observability/get, cluster:admin/opensearch/ql/datasources/read, cluster:admin/opendistro/reports/definition/list, indices:data/read/mget*, cluster:admin/opendistro/reports/instance/list, cluster:admin/opendistro/reports/definition/on_demand, cluster:admin/opendistro/reports/definition/update, cluster:admin/opendistro/reports/definition/delete, cluster:admin/opendistro/reports/menu/download, cluster:admin/opendistro/reports/definition/get, indices:data/write/bulk, cluster:admin/opendistro/reports/instance/get]] to System Indices .opendistro-reports-instances
[2024-05-06T09:09:39,850][WARN ][o.o.r.a.PluginBaseAction ] [master-1] reports:OpenSearchStatusException: message:no permissions for [] and User [name=max, backend_roles=[osd-admin, osd-reader], requestedTenant=null]

Parts with No indices:admin/create permission and no permissions for [] completely baffle me.

  1. indices:admin/create is present everywhere but not considered?
  2. How come that there is an empty tuple ([]) with permissions?

You can see the same behaviour when you go to Reporting directly from the left panel and click refresh.

Related component

Plugins

To Reproduce

There are two ways:

  1. Go to 'Discover -> Open -> some saved search -> Reporting'
  2. Click on 'Generate CSV'
  3. See error
  1. Go to 'Reporting'
  2. Click on 'Refresh'
  3. See error

Expected behavior

Reports are generated and downloaded.

Additional Details

Plugins

opensearch-alerting                  2.12.0.0
opensearch-anomaly-detection         2.12.0.0
opensearch-asynchronous-search       2.12.0.0
opensearch-cross-cluster-replication 2.12.0.0
opensearch-custom-codecs             2.12.0.0
opensearch-flow-framework            2.12.0.0
opensearch-geospatial                2.12.0.0
opensearch-index-management          2.12.0.0
opensearch-job-scheduler             2.12.0.0
opensearch-knn                       2.12.0.0
opensearch-ml                        2.12.0.0
opensearch-neural-search             2.12.0.0
opensearch-notifications             2.12.0.0
opensearch-notifications-core        2.12.0.0
opensearch-observability             2.12.0.0
opensearch-performance-analyzer      2.12.0.0
opensearch-reports-scheduler         2.12.0.0
opensearch-security                  2.12.0.0
opensearch-security-analytics        2.12.0.0
opensearch-skills                    2.12.0.0
opensearch-sql                       2.12.0.0

Host/Environment:

  • Docker image: opensearchproject/opensearch:2.12.0
  • OS: Ubuntu 20.04.6 LTS

maxemontio avatar May 06 '24 09:05 maxemontio

This may not be a bug, try asking on the public slack @maxemontio?

Catch All Triage - 1 2 3 4 5 6

dblock avatar Jun 24 '24 16:06 dblock

@dblock we're have the same issue in 2.14.0 and this is definitely the bug. Could you please advise what's minimum permission required for "Generate CSV"?

igor-nikiforov avatar Jul 15 '24 05:07 igor-nikiforov