Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Close API requires "hidden" permission #1461

Closed
aetter opened this issue Sep 28, 2021 · 4 comments
Closed

[BUG] Close API requires "hidden" permission #1461

aetter opened this issue Sep 28, 2021 · 4 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.6.0 'Issues and PRs related to version v2.6.0'

Comments

@aetter
Copy link
Contributor

aetter commented Sep 28, 2021
edited
Loading

Describe the bug
Even with the indices:admin/close permission, you can't close an index. You also need the indices:admin/close* permission, which isn't listed in OpenSearch Dashboards.

Added: It's not clear to me if this is a problem with the OpenSearch plugin or OpenSearch Dashboards plugin. Have we considered a "list permissions" REST API (GET _plugins/_security/api/permissions/ so that it's easier to get the authoritative list of all permissions?

To Reproduce
Steps to reproduce the behavior:

  1. As admin, create a new user.
  2. Create test-index and index a couple documents.
  3. Create the following role:
PUT https://localhost:9200/_plugins/_security/api/roles/test
{
        "cluster_permissions": [
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    "test-index"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "indices:admin/close",
                    "indices:admin/open"
                ]
            }
        ]
    }
  1. Map the new role to the new user.
  2. As the new user, send the following request:
POST https://localhost:9200/test-index/_close
  1. Note the error:
{
    "acknowledged": false,
    "shards_acknowledged": false,
    "indices": {
        "test-index": {
            "closed": false,
            "failedShards": {
                "0": {
                    "failures": [
                        {
                            "shard": 0,
                            "index": "test-index",
                            "status": "FORBIDDEN",
                            "reason": {
                                "type": "security_exception",
                                "reason": "no permissions for [indices:admin/close[s]] and User [name=test, backend_roles=[], requestedTenant=null]"
                            }
                        }
                    ]
                }
            }
        }
    }
}
  1. As admin, update the role:
https://localhost:9200/_plugins/_security/api/roles/test
{
        "cluster_permissions": [
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    "test-index"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "indices:admin/close",
                    "indices:admin/close*",
                    "indices:admin/open"
                ]
            }
        ]
    }
  1. As the new user, send the request again:
POST https://localhost:9200/test-index/_close

Success.

Expected behavior
The indices:admin/close* permission should either not be necessary or should be included in the Dashboards UI.

dashboards
@aetter aetter added bug Something isn't working Beta untriaged Require the attention of the repository maintainers and may need to be prioritized labels Sep 28, 2021
@davidlago davidlago removed Beta untriaged Require the attention of the repository maintainers and may need to be prioritized labels Nov 3, 2021
@davidlago davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022
@stephen-crawford
Copy link
Contributor

[Triage] Hi @shanilpa, do you have any thoughts on how to best handle this issue?

This issue remains relevant. Users given an error stating they need a permission should be able to assign that permission from the list. There are also "hidden" permissions which are not intuitive.

  1. Make permissions not hidden (i.e. permissible actions in the YAML file of the security plugin)
  2. Add permission being missed to drop-down list

@cwperks cwperks mentioned this issue Feb 13, 2023
Merged
3 tasks
@peternied peternied mentioned this issue Feb 14, 2023
Closed
3 tasks
@shanilpa
Copy link

@scrawfor99 A couple of clarifying questions here before I make any UX recommendations.

  1. It looks like we are already working on making these "hidden" permissions available in the dropdown as mentioned in this issue. Am I missing something here? Are these permissions special and need to be treated differently from the others?

  2. "Users given an error stating they need a permission should be able to assign that permission from the list.

As I understand it only an admin user has access to the Dashboards security plugin therefore they are the only ones that can assign permissions. I think it would be very risky to allow any user to self assign permissions from the list. Not sure I fully get what you meant by this statement, could you clarify?

@peternied peternied mentioned this issue Feb 16, 2023
Merged
3 tasks
@cwperks cwperks added the v2.6.0 'Issues and PRs related to version v2.6.0' label Feb 22, 2023
@gaiksaya
Copy link
Member

Hi @opensearch-project/security,
This issue was tagged for 2.6.0. Can you close it if it was resolved or tag is to be tracked for next iteration?
Thanks!

@cwperks
Copy link
Member

cwperks commented Feb 27, 2023

This is released in 2.6.0. Closing issue.

@cwperks cwperks closed this as completed Feb 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. v2.6.0 'Issues and PRs related to version v2.6.0'
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@davidlago @aetter @cwperks @gaiksaya @stephen-crawford @shanilpa