-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for SearchTemplateRequest while resolving request #1678
Add support for SearchTemplateRequest while resolving request #1678
Comments
i am hitting this as i have the same identical problem listed here |
in the specific my role has the following permissions
when loggin in, the api call
returns with:
adding the following permissions does nothing.
the only way i can get some progress is by granting:
in that case, the previous call succeed and returns
unfortunately there are still problems as trying to access discover or dashboards for the api call the response is
for the api call the response is
the only way i can properly browse is to grant
notice how a lot more indexes are returned compared to before |
[Triage 2/27/2023] This issue remains relevant and should continue to be a part of the backlog. |
Hello All, Any update on this, I am facing the same issue. Even after adding the permission it's still throwing error |
I briefly looked at this issue and there's a complication in implementing a fix for this because these actions live in
But since When trying to cast the request to
|
I think a solution to the issue described above is just to add Inside the Transport Action of SearchTemplateAction it performs a search request where the authorization can be checked there to ensure the user has permissions to search on the requested indices: https://github.com/opensearch-project/OpenSearch/blob/main/modules/lang-mustache/src/main/java/org/opensearch/script/mustache/TransportSearchTemplateAction.java#L83-L111 For SearchTemplateRequest the authorization could be: 1) Can user do a SearchTemplateRequest (cluster permission) and 2) Can the user search on the requested indices? |
Addressing SearchTemplates feels like it will create more complexity around permissions in areas that are already difficult. I feel like this will expose more issues or create unclear user expectations. Some of my thought process Who can perform write operations on search templates?Search templates are cluster wide, there are option to target specific indices. Embedded in the template is index targetting information. Cluster level permissions are needed to cover the broad nature of these items. While viewing / modifing indices isn't the same kind of permission to the resource its strange to combine the two. Who can perform get operations on search templates?Search indices can be found cluster wide or focused on indices. We've got behavoir such as do not fail on forbidden, that could seemly allow returning a subset of responses filtered by matching index - that makes user comprehension hard. Cluster level permissions, as it would be strange for read operations to have a behavoiral permission declaration that its write counterpart. Who can search with a template?Since authoring and reading templates is restricted at the cluster level, it seems that you need those cluster level permissions to ensure the correct - broad scope of what could be within templates. Cluster level permissions are required. This seems really restrictive, why so restrictive?OpenSearch consider divulging document field name secured by FLS a vunerablity. The potential of exposing fields such as this through a search template exists and it seems non-trivial to mitigate. |
…quest Auth (#2921) Adds integration test to verify change in core, allowing proper authorization of search template request related to: #1678 ### Description [Describe what this change achieves] * Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation) * Why these changes are required? * What is the old behavior before changes and new behavior after changes? ### Issues Resolved [List any issues this PR will resolve] Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Derek Ho <dxho@amazon.com>
Security plugin doesn't support SearchTemplateRequest while resolving request/index permissions
This causes permissions to be evaluated against all(*) here- https://github.com/opensearch-project/security/blob/1.1/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java#L310-L312
Hence, a user/role with permissions limited to specific indices sees 403s when a search template request is used.
Currently available workaround is to use the following permissions-
Example request-
logs-
The text was updated successfully, but these errors were encountered: