-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] admin permissions checked incorrectly #3128
Comments
@Yury-Fridlyand the internal What is the search request you are performing where you are seeing the insufficient privileges issue? FYI super admin can perform operations like deleting the security index, making updates to the security index directly or reload certificates and a regular admin cannot perform those operations. |
I'm trying to do a search request (
You can see all my config attached. |
@Yury-Fridlyand The linked errors in the .NET client look related to a known issue in 2.9.0 when using testClusters and the security plugin. More details can be found on this issue: #3064 This should be resolved now after merging this PR: #3066 |
I added backport 2.9 label to #3066 |
I use a 3.0.0 shapshot with this fix already. {
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "No user found for indices:data/read/search"
}
],
"type" : "security_exception",
"reason" : "No user found for indices:data/read/search"
},
"status" : 500
} |
It looks like colon in the index name is problematic? Thank you for reporting the issue @Yury-Fridlyand! |
Maybe I have a misconfiguration. |
I will try to reproduce and report back. Is this around cross cluster search? |
Yes |
The .NET client is doing approximately:
|
@Xtansia Is your cluster set-up multi-node? There is a known issue in multi-node cluster setup in same JVM which causes Update: This is fixed for 2.9: #3129 |
Hi @Yury-Fridlyand, I was not able to reproduce this with the latest changes from main as of 09/08:
Steps Followed when trying to re-produce:Cluster setup:
➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9200/'
{
"name" : "node-1",
"cluster_name" : "cluster-1",
...
} ➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9250/'
{
"name" : "node-2",
"cluster_name" : "cluster-2",
...
} CCS Setup:
➜ ~ curl -k -XPUT -H 'Content-Type: application/json' -u '<admin-creds>' 'https://localhost:9200/_cluster/settings' -d '
{
"persistent": {
"cluster.remote": {
"cluster-2": {
"seeds": ["127.0.0.1:9300"]
}
}
}
}'
{"acknowledged":true,"persistent":{"cluster":{"remote":{"cluster-2":{"seeds":["127.0.0.1:9300"]}}}},"transient":{}}%
➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9200/_remote/info'
{"cluster-2":{"connected":true,"mode":"sniff","seeds":["127.0.0.1:9300"],"num_nodes_connected":1,"max_connections_per_cluster":3,"initial_connect_timeout":"30s","skip_unavailable":false}}% Test the setup:
➜ ~ curl -XPUT -k -H 'Content-Type: application/json' -u '<admin-creds>' 'https://localhost:9250/books/_doc/1' -d '{"Dracula": "Bram Stoker"}'
{"_index":"books","_id":"1","_version":1,"result":"created","_shards":{"total":2,"successful":1,"failed":0},"_seq_no":0,"_primary_term":1}%
➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9200/cluster-2:books/_search?pretty'
{
"took" : 119,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 1,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster-2:books",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"Dracula" : "Bram Stoker"
}
}
]
}
}
➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9200/*:books/_search?pretty'
{
"took" : 22,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 1,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 1,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster-2:books",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"Dracula" : "Bram Stoker"
}
}
]
}
} Note: I get index_not_found_exception for following search, but that could be due to a different issue: ➜ ~ curl -XGET -k -u '<admin-creds>' 'https://localhost:9200/cluster-2:books,cluster-1:books/_search?pretty'
{
"error" : {
"root_cause" : [
{
"type" : "index_not_found_exception",
"reason" : "no such index [cluster-1:books]",
"index" : "cluster-1:books",
"resource.id" : "cluster-1:books",
"resource.type" : "index_or_alias",
"index_uuid" : "_na_"
}
],
"type" : "index_not_found_exception",
"reason" : "no such index [cluster-1:books]",
"index" : "cluster-1:books",
"resource.id" : "cluster-1:books",
"resource.type" : "index_or_alias",
"index_uuid" : "_na_"
},
"status" : 404
} |
Reproduced with opensearch 7278f434cd83f095623e34c2105f1b79d247af18 + security 46989b5
|
@Yury-Fridlyand I followed the steps you mentioned and I was not able to reproduce it. (One small change I made was I had to add Output log➜ ~ curl -XGET -u '<admin-creds>' -k 'https://localhost:9200/'
{
"name" : "node-1",
"cluster_name" : "cluster-1",
"cluster_uuid" : "fJQ9dOCCSXKsk3X8WGqx4Q",
"version" : {
"distribution" : "opensearch",
"number" : "3.0.0-SNAPSHOT",
"build_type" : "tar",
"build_hash" : "ccf0b9a5036b8779514d4bfd9034e147e4617da8",
"build_date" : "2023-08-09T17:25:06.853863Z",
"build_snapshot" : true,
"lucene_version" : "9.8.0",
"minimum_wire_compatibility_version" : "2.10.0",
"minimum_index_compatibility_version" : "2.0.0"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
➜ ~ curl -XGET -u '<admin-creds>' -k 'https://localhost:9200/*:security-auditlog-*/_search?pretty'
{
"took" : 151,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 1,
"successful" : 1,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 2,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster-2:security-auditlog-2023.08.09",
"_id" : "21l524kBBr9mJxlzArLn",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_opendistro_security_remotecn" : "cluster-2",
"_opendistro_security_initial_action_class_header" : "BulkShardRequest",
"_opendistro_security_origin_header" : "REST"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:225",
"audit_transport_request_type" : "PutMappingRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{\"_doc\":{\"properties\":{\"Dracula\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":256}}}}}}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:48.230+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/mapping/auto_put",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_resolved_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
},
{
"_index" : "cluster-2:security-auditlog-2023.08.09",
"_id" : "3Fl524kBBr9mJxlzA7JC",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_system_index_access_allowed" : "false"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:213",
"audit_transport_request_type" : "CreateIndexRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:47.911+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/auto_create",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
}
]
}
}
➜ ~ curl --location --request PUT 'https://localhost:9200/_cluster/settings' --header 'Content-Type: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' --data '{
"transient": {
"cluster": {
"remote": {
"cluster-1": {
"seeds": ["127.0.0.1:9300", "127.0.0.1:9301"]
},
"cluster-2": {
"seeds": ["127.0.0.1:9300"]
}
}
}
}
}'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
➜ ~ curl --location --request PUT 'https://localhost:9200/_cluster/settings' --header 'Content-Type: application/json' --header 'Authorization: Basic YWRtaW46YWRtaW4=' -k --data '{
"transient": {
"cluster": {
"remote": {
"cluster-1": {
"seeds": ["127.0.0.1:9300", "127.0.0.1:9301"]
},
"cluster-2": {
"seeds": ["127.0.0.1:9300"]
}
}
}
}
}'
{"acknowledged":true,"persistent":{},"transient":{"cluster":{"remote":{"cluster-1":{"seeds":["127.0.0.1:9300","127.0.0.1:9301"]},"cluster-2":{"seeds":["127.0.0.1:9300"]}}}}}%
➜ ~ curl -XGET -u '<admin-creds> -k 'https://localhost:9200/*:security-auditlog-*/_search?pretty'
{
"took" : 17,
"timed_out" : false,
"num_reduce_phases" : 3,
"_shards" : {
"total" : 2,
"successful" : 2,
"skipped" : 0,
"failed" : 0
},
"_clusters" : {
"total" : 2,
"successful" : 2,
"skipped" : 0
},
"hits" : {
"total" : {
"value" : 4,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "cluster-1:security-auditlog-2023.08.09",
"_id" : "21l524kBBr9mJxlzArLn",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_opendistro_security_remotecn" : "cluster-2",
"_opendistro_security_initial_action_class_header" : "BulkShardRequest",
"_opendistro_security_origin_header" : "REST"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:225",
"audit_transport_request_type" : "PutMappingRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{\"_doc\":{\"properties\":{\"Dracula\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":256}}}}}}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:48.230+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/mapping/auto_put",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_resolved_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
},
{
"_index" : "cluster-1:security-auditlog-2023.08.09",
"_id" : "3Fl524kBBr9mJxlzA7JC",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_system_index_access_allowed" : "false"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:213",
"audit_transport_request_type" : "CreateIndexRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:47.911+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/auto_create",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
},
{
"_index" : "cluster-2:security-auditlog-2023.08.09",
"_id" : "21l524kBBr9mJxlzArLn",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_opendistro_security_remotecn" : "cluster-2",
"_opendistro_security_initial_action_class_header" : "BulkShardRequest",
"_opendistro_security_origin_header" : "REST"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:225",
"audit_transport_request_type" : "PutMappingRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{\"_doc\":{\"properties\":{\"Dracula\":{\"type\":\"text\",\"fields\":{\"keyword\":{\"type\":\"keyword\",\"ignore_above\":256}}}}}}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:48.230+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/mapping/auto_put",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_resolved_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
},
{
"_index" : "cluster-2:security-auditlog-2023.08.09",
"_id" : "3Fl524kBBr9mJxlzA7JC",
"_score" : 1.0,
"_source" : {
"audit_cluster_name" : "cluster-2",
"audit_transport_headers" : {
"_system_index_access_allowed" : "false"
},
"audit_node_name" : "node-2",
"audit_trace_task_id" : "AA-8sdP4RdGPL4KYdWGUTw:213",
"audit_transport_request_type" : "CreateIndexRequest",
"audit_category" : "INDEX_EVENT",
"audit_request_origin" : "REST",
"audit_request_body" : "{}",
"audit_node_id" : "AA-8sdP4RdGPL4KYdWGUTw",
"audit_request_layer" : "TRANSPORT",
"@timestamp" : "2023-08-09T18:04:47.911+00:00",
"audit_format_version" : 4,
"audit_request_remote_address" : "127.0.0.1",
"audit_request_privilege" : "indices:admin/auto_create",
"audit_node_host_address" : "127.0.0.1",
"audit_request_effective_user" : "admin",
"audit_trace_indices" : [
"books"
],
"audit_node_host_name" : "127.0.0.1"
}
}
]
}
}
➜ ~ Seems like there might be a configuration issue on your end. Can you please post your set-up (opensearch.yml) and failure log? |
@DarshitChanpura |
@Yury-Fridlyand Here is a summary of our discussion on slack:
Closing it as it was a local cluster setup issue. |
I still insist that there is a bug1.
So until remote cluster started, I can't access data on the main cluster. Footnotes
|
What is the bug?
isAdmin
check insecurity/src/main/java/org/opensearch/security/configuration/AdminDNs.java
Lines 123 to 125 in 7219feb
always fails, because in
security/src/main/java/org/opensearch/security/configuration/AdminDNs.java
Line 140 in 7219feb
string passed to
new LdapName(...)
is incorrect.Thich check called from multiple places, for example from
security/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java
Lines 151 to 153 in 7219feb
This gives me error
For built-in user
admin
with godlike permissionsall_acccess
.Seen in different IT test setups, for example in opensearch-project/opensearch-net#311.
How can one reproduce the bug?
What is the expected behavior?
The check should pass.
The code should be I suppose
What is your host/environment?
Do you have any screenshots?
Do you have any additional context?
https
was disabled to simplify debugging)I can submit a PR if you think that updating
isAdminDN
as I proposed is good enough.The text was updated successfully, but these errors were encountered: