[BUG] Search returns 403 with PIT enabled with search permission on specific index #5508
Description
What is the bug? A clear and concise description of the bug.
POST _plugins/_ppl
{"query":"source=example | where observedTime >= '2024-04-24 06:58:43.722000' and observedTime <= '2025-07-24 06:58:43.722000'","format":"jdbc"}
The above query gets translated to following PIT search request.
{
"from" : 0,
"size" : 10000,
"timeout" : "1m",
"query" : {
"bool" : {
"filter" : [ {
"range" : {
"observedTime" : {
"from" : 1713941923722,
"to" : null,
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
}, {
"range" : {
"observedTime" : {
"from" : null,
"to" : 1753340323722,
"include_lower" : true,
"include_upper" : true,
"boost" : 1.0
}
}
} ],
"adjust_pure_negative" : true,
"boost" : 1.0
}
},
"_source" : {
"includes" : [ "traceId", "instrumentationScope", "log", "resource", "flags", "severityNumber", "body", "serviceName", "observedTime", "schemaUrl", "spanId", "severityText", "droppedAttributesCount", "time" ],
"excludes" : [ ]
},
"sort" : [ {
"_doc" : {
"order" : "asc"
}
} ],
"pit" : {
"id" : "29eFQQEVc3M0b19sb2dzLW90ZWwtc2FtcGxlFk9GcTdGcGRGUUFDcjhKWjJmT2gtX0EAFmxGX1lzUHNGUmpXeU9sWVVPaTFRclEAAAAAAAAAABMWWlA4ODdTUFVSRU9wNDViQkoxc3l5QQEWT0ZxN0ZwZEZRQUNyOEpaMmZPaC1fQQAA"
}
}
The above DSL search query is throwing the following exception even with all the permissions required for ss4o* index pattern:
"{\n \"error\": {\n \"reason\": \"Error occurred in OpenSearch engine: no permissions for [indices:data/read/search] and User [name=readonly, backend_roles=[], requestedTenant=__user__]\",\n \"details\": \"OpenSearchSecurityException[no permissions for [indices:data/read/search] and User [name=readonly, backend_roles=[], requestedTenant=__user__]]\\nFor more details, please send request for Json format to see the raw response from OpenSearch engine.\",\n \"type\": \"OpenSearchSecurityException\"\n },\n \"status\": 403\n}"
Security Plugin Logs which says the user has permissions for above index but the priviliges evaulator is verifying for access to all indices instead of just the indices requested.
[2025-07-24T12:21:43,750][INFO ][o.o.s.p.PPLService ] [80a9973defcb] [9eef907a-7b71-4531-8e44-0d40d6a9c058] Incoming request source=ss4o_logs-otel-sample | where observedTime >= *** and observedTime <= ***
[2025-07-24T12:21:43,766][INFO ][o.o.s.p.PrivilegesEvaluator] [80a9973defcb] No index-level perm match for User [name=readonly, backend_roles=[], requestedTenant=__user__] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]]: null [Action [indices:data/read/search]] [RolesChecked [readonly, own_index]]
[2025-07-24T12:21:43,767][INFO ][o.o.s.p.PrivilegesEvaluator] [80a9973defcb] Index to privilege matrix:
| indices:data/read/search |
.ql-datasources | MISSING |
security-auditlog-2025.07.24 | MISSING |
.opendistro_security | MISSING |
example | ok |
top_queries-2025.07.24-40860 | MISSING |
.plugins-ml-config | MISSING |
.kibana | MISSING |
opensearch_dashboards_sample_data_logs | MISSING |
.opensearch-sap-log-types-config | MISSING |
opensearch_dashboards_sample_data_flights | MISSING |
opensearch_dashboards_sample_data_ecommerce| MISSING |
Thanks @vamsimanohar for adding the description.