Skip to content

[BUG] Close API requires "hidden" permission #1461

Closed
Closed
[BUG] Close API requires "hidden" permission#1461
Labels
bugSomething isn't workingtriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.v2.6.0'Issues and PRs related to version v2.6.0'
@aetter

Description

@aetter
aetter
opened on Sep 28, 2021

Describe the bug
Even with the indices:admin/close permission, you can't close an index. You also need the indices:admin/close* permission, which isn't listed in OpenSearch Dashboards.

Added: It's not clear to me if this is a problem with the OpenSearch plugin or OpenSearch Dashboards plugin. Have we considered a "list permissions" REST API (GET _plugins/_security/api/permissions/ so that it's easier to get the authoritative list of all permissions?

To Reproduce
Steps to reproduce the behavior:

  1. As admin, create a new user.
  2. Create test-index and index a couple documents.
  3. Create the following role:
PUT https://localhost:9200/_plugins/_security/api/roles/test
{
        "cluster_permissions": [
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    "test-index"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "indices:admin/close",
                    "indices:admin/open"
                ]
            }
        ]
    }
  1. Map the new role to the new user.
  2. As the new user, send the following request:
POST https://localhost:9200/test-index/_close
  1. Note the error:
{
    "acknowledged": false,
    "shards_acknowledged": false,
    "indices": {
        "test-index": {
            "closed": false,
            "failedShards": {
                "0": {
                    "failures": [
                        {
                            "shard": 0,
                            "index": "test-index",
                            "status": "FORBIDDEN",
                            "reason": {
                                "type": "security_exception",
                                "reason": "no permissions for [indices:admin/close[s]] and User [name=test, backend_roles=[], requestedTenant=null]"
                            }
                        }
                    ]
                }
            }
        }
    }
}
  1. As admin, update the role:
https://localhost:9200/_plugins/_security/api/roles/test
{
        "cluster_permissions": [
        ],
        "index_permissions": [
            {
                "index_patterns": [
                    "test-index"
                ],
                "dls": "",
                "fls": [],
                "masked_fields": [],
                "allowed_actions": [
                    "indices:admin/close",
                    "indices:admin/close*",
                    "indices:admin/open"
                ]
            }
        ]
    }
  1. As the new user, send the request again:
POST https://localhost:9200/test-index/_close

Success.

Expected behavior
The indices:admin/close* permission should either not be necessary or should be included in the Dashboards UI.

dashboards

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingtriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.v2.6.0'Issues and PRs related to version v2.6.0'

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions