[BUG] By default user can access all data streams messages

[thethir13en]

Describe the bug
User, only has own_index role, can perform search/delete actions on data streams in cluster.

To Reproduce
Steps to reproduce the behavior:

1. Create user has no roles mapped (I've created it from Opensearch Dashboards)
2. Create index template with data_stream attribute, e.g:
   PUT _index_template/logs-template
   {
   "index_patterns": [
   "logs-*"
   ],
   "data_stream": {},
   "priority": 100
   }
3. Send logs to logs- data stream
4. Log in to Opensearch dashboards with this user
5. Send request GET logs-* or DELETE logs-*

Expected behavior
Plugin have to restrict access to data streams for user without permissions for this data streams.

Plugins enabled
opensearch-node1 opensearch-alerting 1.0.0.0
opensearch-node1 opensearch-anomaly-detection 1.0.0.0
opensearch-node1 opensearch-asynchronous-search 1.0.0.0
opensearch-node1 opensearch-index-management 1.0.1.0
opensearch-node1 opensearch-job-scheduler 1.0.0.0
opensearch-node1 opensearch-knn 1.0.0.0
opensearch-node1 opensearch-notebooks 1.0.0.0
opensearch-node1 opensearch-performance-analyzer 1.0.1.0
opensearch-node1 opensearch-reports-scheduler 1.0.0.0
opensearch-node1 opensearch-security 1.0.1.0
opensearch-node1 opensearch-sql 1.0.0.0

Screenshots

Host/Environment (please complete the following information):

• OS: Windows + WSL2 + Docker
• Version [1.0.1.0,1.1.0.0]

[sastorsl]

It seems that document level security is not fixed as part of the PR - with regards to setting the security on the data stream alias alone.

If I specify document level security with a direct reference to the backing indices the view is indeed limited for the user:

    "index_permissions" : [
      {
        "index_patterns" : [
          "logstash-app-*",
          "logs-app",
          ".ds-logs-app-*"
        ],
        "dls" : "{\n  \"bool\": {\n    \"must\": {\n      \"match\": {\n        \"logsource.keyword\": \"userdata\"\n      }\n    }\n  }\n}",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "read"
        ]
      }

But if i remove .ds-logs-app the user is able to see all data in the logs-app data stream.

@sandeshkr419 is this something you can comment on / look into?
Is it a separate issue, or?

[rursprung]

@peternied: is the problem reported by @sastorsl the one you fixed in #1999 or is this yet another problem (and maybe still unresolved)?

[peternied]

@sastorsl Could check if this scenario is resolved in the recent 2.2.0 release? If you still see a vulnerability please contact [email protected] and CC me [email protected] so we can investigate further.

[peternied]

@rursprung Thanks for noticing this, I'm not sure based on the report if it is the same issue or a different issue without knowing more about the system configuration.