[BUG] do_not_fail_on_forbidden_empty does not work for cat api #1815

jezsy · 2022-05-02T12:34:56Z

What is the bug?
Setting do_not_fail_on_forbidden to true does not seem to have any impact on some APIs like cat/_indices and cat/_aliases - the whole operation is rejected even if indices exist for which the user has access to.

_cat/indices/some-index-* would work, but not _cat/indices because it include internal indices which the user does not permission for.

Adding permissions under index_patterns: '*' can make them work, but I think this defeats the purpose of having the do_not_fail_on_forbidden parameter.

How can one reproduce the bug?
Steps to reproduce the behavior:
roles.yml

my_user:
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_manage_index_templates"
  index_permissions:
  - index_patterns:
    - "some-index-*"
    allowed_actions:
      - "read"
      - "write"
      - "create_index"
      - "manage"

config.yml

config:
  dynamic:
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true
    ...

Error for GET _cat/indices

        "type" : "security_exception",
        "reason" : "no permissions for [indices:monitor/settings/get] and User [name=my_user, backend_roles=[], requestedTenant=null]"

Error for GET _cat/aliases

        "type" : "security_exception",
        "reason" : "no permissions for [indices:admin/aliases/get] and User [name=my_user, backend_roles=[], requestedTenant=null]"

Both of these permissions should be covered under the manage default_action_group, but the operations only work when targeted specifically to the index, so do_not_fail_on_forbidden does not seem to be working as intended.

What is the expected behavior?
do_not_fail_on_forbidden should work similarly for all APIs, where results are filtered based only on the indices that the user has permissions for.

What is your host/environment?

Version OpenSearch 1.2.3
Plugins OpenSearch Security 1.2.3.0

The text was updated successfully, but these errors were encountered:

peternied · 2022-05-02T22:24:52Z

Thanks for filing @jezsy, I am having trouble reproducing the issue with /_search. As that data might be sensitive, could you email me directly at [email protected]? Sending the security-auditlog-* log entries and dump of security configuration will be needed to dive into this further.

jezsy · 2022-05-12T13:40:32Z

Hi @peternied. Apologies for the late response. Upon further tests, it seems my claim about /_search was wrong. kibana_1 was appearing in the results because I had my user mapped to the kibana_user role as well (was doing tests on the Dashboards Dev Tools), which had permissions for the kibana indices. So do_not_fail_on_forbidden works as intended for _search

In that case, the main issue now is just extending usage of parameters do_not_fail_on_forbidden and do_not_fail_on_forbidden_empty to other APIs like _cat (e.g. indices, aliases, shards, maybe more)

jezsy · 2022-05-12T13:58:57Z

Similarly, I think the two parameters should also apply to GET _alias and GET _aliases. At the moment, the whole operation is rejected instead of just filtering for those indices which the user does have permission for, even if the parameters are configured true

peternied · 2022-05-12T19:21:03Z

Thanks for updating us on this issue, we have added this issue into items to be looked at so thank you very much for contributing to this project by filing. Please feel free to open a pull request if you've got recommendations for this or other features.

…idden setting (#3236) ### Description This change allows for DNFOF behavior on the _cat/_indices API. It adds the required index permissions into the DNFOF regex to be picked up in the DNFOF code path. Previously it was being skipped/returning 403, since the index permissions were not in the regex. ### Issues Resolved Fix: #1815 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Derek Ho <[email protected]>

…idden setting (opensearch-project#3236) This change allows for DNFOF behavior on the _cat/_indices API. It adds the required index permissions into the DNFOF regex to be picked up in the DNFOF code path. Previously it was being skipped/returning 403, since the index permissions were not in the regex. Fix: opensearch-project#1815 Is this a backport? If so, please add backport PR # and/or commits # [Please provide details of testing done: unit testing, integration testing and manual testing] - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Derek Ho <[email protected]> (cherry picked from commit 4c095d2) Signed-off-by: Derek Ho <[email protected]>

jezsy added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels May 2, 2022

peternied added help wanted Community contributions are especially encouraged for these issues. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels May 2, 2022

davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022

davidlago mentioned this issue Aug 21, 2023

Improve the security permission check in cat indices (_cat/indices) API #2257

Closed

derek-ho self-assigned this Aug 24, 2023

derek-ho mentioned this issue Aug 24, 2023

Command cat/indices will filter results per the Do Not Fail On Forbidden setting #3236

Merged

3 tasks

RyanL1997 closed this as completed in #3236 Aug 29, 2023

nibix mentioned this issue Jan 2, 2024

[RFC] Refined index authorization (replacement for do_not_fail_on_forbidden) #3905

Open

derek-ho mentioned this issue Jun 7, 2024

[BUG] DNFOF does not work for some APIs #4413

Closed

cwperks mentioned this issue Nov 22, 2024

[BUG]Permission issue on AWS managed Opensearch 2.7 Indices search bar under Index Management. opensearch-project/index-management#959

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] do_not_fail_on_forbidden_empty does not work for cat api #1815

[BUG] do_not_fail_on_forbidden_empty does not work for cat api #1815

jezsy commented May 2, 2022 •

edited by peternied

Loading

peternied commented May 2, 2022 •

edited

Loading

jezsy commented May 12, 2022 •

edited

Loading

jezsy commented May 12, 2022 •

edited

Loading

peternied commented May 12, 2022

[BUG] do_not_fail_on_forbidden_empty does not work for cat api #1815

[BUG] do_not_fail_on_forbidden_empty does not work for cat api #1815

Comments

jezsy commented May 2, 2022 • edited by peternied Loading

peternied commented May 2, 2022 • edited Loading

jezsy commented May 12, 2022 • edited Loading

jezsy commented May 12, 2022 • edited Loading

peternied commented May 12, 2022

jezsy commented May 2, 2022 •

edited by peternied

Loading

peternied commented May 2, 2022 •

edited

Loading

jezsy commented May 12, 2022 •

edited

Loading

jezsy commented May 12, 2022 •

edited

Loading