Link Search Menu Expand Document Documentation Menu

Permissions

Each permission in the Security plugin controls access to some action that the Lucenia cluster can perform, such as indexing a document or checking cluster health.

Most permissions are self-describing. For example, cluster:admin/ingest/pipeline/get lets you retrieve information about ingest pipelines. In many cases, a permission correlates to a specific REST API operation, such as GET _ingest/pipeline.

Despite this correlation, permissions do not directly map to REST API operations. Operations such as POST _bulk and GET _msearch can access many indexes and perform many actions in a single request. Even a simple request, such as GET _cat/nodes, performs several actions in order to generate its response.

In short, controlling access to the REST API is insufficient. Instead, the Security plugin controls access to the underlying Lucenia actions.

For example, consider the following _bulk request:

POST _bulk
{ "delete": { "_index": "test-index", "_id": "tt2229499" } }
{ "index": { "_index": "test-index", "_id": "tt1979320" } }
{ "title": "Rush", "year": 2013 }
{ "create": { "_index": "test-index", "_id": "tt1392214" } }
{ "title": "Prisoners", "year": 2013 }
{ "update": { "_index": "test-index", "_id": "tt0816711" } }
{ "doc" : { "title": "World War Z" } }

For this request to succeed, you must have the following permissions for test-index:

  • indices:data/write/bulk*
  • indices:data/write/delete
  • indices:data/write/index
  • indices:data/write/update

These permissions also allow you add, update, or delete documents (e.g. PUT test-index/_doc/tt0816711), because they govern the underlying Lucenia actions of indexing and deleting documents rather than a specific API path and HTTP method.

Test permissions

If you want a user to have the absolute minimum set of permissions necessary to perform some function—the principle of least privilege—the best way is to send representative requests to your cluster as a new test user. In the case of a permissions error, the Security plugin is very explicit about which permissions are missing. Consider this request and response:

GET _cat/shards?v

{
  "error": {
    "root_cause": [{
      "type": "security_exception",
      "reason": "no permissions for [indices:monitor/stats] and User [name=test-user, backend_roles=[], requestedTenant=null]"
    }]
  },
  "status": 403
}

Create a user and a role, map the role to the user, and start sending signed requests using curl, Postman, or any other client. Then gradually add permissions to the role as you encounter errors. Even after you resolve one permissions error, the same request might generate new errors; the plugin only returns the first error it encounters, so keep trying until the request succeeds.

Rather than individual permissions, you can often achieve your desired security posture using a combination of the default action groups. See Default action groups for descriptions of the permissions that each group grants.

System index permissions

System index permissions are unique among other permissions in that they extend some traditional admin-only accessibility to non-admin users. These permissions give normal users the ability to modify any system index specified in the role or roles to which they are mapped. The exception to this is the security system index, .opendistro_security, which is used to store the Security plugin’s configuration YAML files and remains accessible only to admins with an admin certificate.

Along with standard index permissions, you specify system index permissions in the roles.yml configuration file under index_permissions (see roles.yml). This involves a two-step process: 1) adding the system index in the index_patterns section and 2) specifying system:admin/system_index in the role’s allowed_actions section.

System index permissions also work with the wildcard to include all variations of a partial system index name. This can be useful, but it should be used with caution to avoid giving unintentional access to system indexes. When specifying system indexes for roles, keep the following considerations in mind:

  • Specifying the full name of a system index limits access to only that index: .opendistro-alerting-config.
  • Specifying a partial name for a system index along with the wildcard provides access to all system indexes that begin with that name: .opendistro-anomaly-detector*.
  • Although not recommended—given the wide-reaching access granted by this role definition—using * for the index pattern along with system:admin/system_index as an allowed action grants access to all system indexes.

    Entering the wildcard * by itself under allowed_actions does not automatically grant access to system indexes. The allowed action system:admin/system_index must be explicitly added.

The following example shows a role that grants access to all system indexes:

index_permissions:
    - index_patterns:
        - '*'
    - allowed_actions:
        - 'system:admin/system_index'

Verifying system index access

You can use the CAT indices operation to see all indexes associated with any index pattern in your permissions configuration and verify that the permissions provide the access you intended. For example, if you want to verify a permission that includes system indexes beginning with the prefix .kibana, you can run the GET /_cat/indices/.kibana* call to return all indexes associated with that prefix.

The following example response shows the three system indexes associated with the index pattern .kibana*:

health | status | index | uuid | pri | rep | docs.count | docs.deleted | store.size | pri.store.size
green open .kibana_1 XmTePICFRoSNf5O5uLgwRw 1 1 220 0 468.3kb 232.1kb
green open .kibana_2 XmTePICFRoSNf5O5uLgwRw 1 1 220 0 468.3kb 232.1kb
green open .kibana_3 XmTePICFRoSNf5O5uLgwRw 1 1 220 0 468.3kb 232.1kb

Enabling system index permissions

Users that have the permission restapi:admin/roles are able to map system index permissions to all users in the same way they would for a cluster or index permission in the roles.yml file. However, to preserve some control over this permission, the plugins.security.system_indices.permission.enabled setting allows you to enable or disable the system index permissions feature. This setting is disabled by default. To enable the system index permissions feature, set plugins.security.system_indices.permissions.enabled to true. For more information about this setting, see Enabling user access to system indexes.

Keep in mind that enabling this feature and mapping system index permissions to normal users gives those users access to indexes that may contain sensitive information and configurations essential to a cluster’s health. We also recommend caution when mapping users to restapi:admin/roles because this permission gives a user not only the ability to assign the system index permission to another user but also the ability to self-assign access to any system index.

do_not_fail_on_forbidden

If a user attempts to query multiple indexes, some of which they lack permissions for, by default they get an error in the OpenSearch Dashboards UI or an exception when using cURL or an API. If you instead want the user to receive the search results for any of the indexes for which they do have permissions, you can set the option do_not_fail_on_forbidden to true in config.yml. See the following example:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    do_not_fail_on_forbidden: true
    authc:
      basic_internal_auth_domain:
      ...

It is important to remember that if this option is set to true, then the user is served the data as if it is the complete dataset. There is no indication that some data may be omitted.

do_not_fail_on_forbidden_empty

When a user attempts to view a visualization for which they lack index permissions, they will see error in place of the visualization. To change this behavior to display No results displayed because all values equal 0., you can set do_not_fail_on_forbidden_empty to true in config.yml. This option is only valid if do_not_fail_on_forbidden is also set to true. See the following example:

_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: "192\\.168\\.0\\.10|192\\.168\\.0\\.11"
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true
    authc:
      basic_internal_auth_domain:
      ...

Cluster permissions

These permissions are for the cluster and can’t be applied granularly. For example, you either have permissions to take snapshots (cluster:admin/snapshot/create) or you don’t. The cluster permission, therefore, cannot grant a user privileges to take snapshots of a select set of indexes while preventing the user from taking snapshots of others.

Cross-references to API documentation in the permissions that follow are only intended to provide an understanding of the permissions. As stated at the beginning of this section, permissions often correlate to APIs but do not map directly to them.

Ingest API permissions

See Ingest APIs.

  • cluster:admin/ingest/pipeline/delete
  • cluster:admin/ingest/pipeline/get
  • cluster:admin/ingest/pipeline/put
  • cluster:admin/ingest/pipeline/simulate
  • cluster:admin/ingest/processor/grok/get

Asynchronous Search permissions

See Asynchronous search.

  • cluster:admin/opendistro/asynchronous_search/stats
  • cluster:admin/opendistro/asynchronous_search/delete
  • cluster:admin/opendistro/asynchronous_search/get
  • cluster:admin/opendistro/asynchronous_search/submit

Reindex

See Reindex document.

  • cluster:admin/reindex/rethrottle

Snapshot repository permissions

See Snapshot APIs.

  • cluster:admin/repository/delete
  • cluster:admin/repository/get
  • cluster:admin/repository/put
  • cluster:admin/repository/verify

Reroute

See Cluster manager task throttling.

  • cluster:admin/reroute

Script permissions

See Script APIs.

  • cluster:admin/script/delete
  • cluster:admin/script/get
  • cluster:admin/script/put

Update settings permission

See Update settings on the Index APIs page.

  • cluster:admin/settings/update

Snapshot permissions

See Snapshot APIs.

  • cluster:admin/snapshot/create
  • cluster:admin/snapshot/delete
  • cluster:admin/snapshot/get
  • cluster:admin/snapshot/restore
  • cluster:admin/snapshot/status
  • cluster:admin/snapshot/status*

Task permissions

See Tasks in the API Reference section.

  • cluster:admin/tasks/cancel
  • cluster:admin/tasks/test
  • cluster:admin/tasks/testunblock

Data source permissions

See Data sources

  • cluster:admin/lucenia/ql/datasources/create
  • cluster:admin/lucenia/ql/datasources/read
  • cluster:admin/lucenia/ql/datasources/update
  • cluster:admin/lucenia/ql/datasources/delete
  • cluster:admin/lucenia/ql/datasources/patch
  • cluster:admin/lucenia/ql/async_query/create
  • cluster:admin/lucenia/ql/async_query/result
  • cluster:admin/lucenia/ql/async_query/delete

Monitoring permissions

Cluster permissions for monitoring the cluster apply to read-only operations, such as checking cluster health and getting information about usage on nodes or tasks running in the cluster.

See REST API reference.

  • cluster:monitor/allocation/explain
  • cluster:monitor/health
  • cluster:monitor/main
  • cluster:monitor/nodes/hot_threads
  • cluster:monitor/nodes/info
  • cluster:monitor/nodes/liveness
  • cluster:monitor/nodes/stats
  • cluster:monitor/nodes/usage
  • cluster:monitor/remote/info
  • cluster:monitor/state
  • cluster:monitor/stats
  • cluster:monitor/task
  • cluster:monitor/task/get
  • cluster:monitor/tasks/lists

Index templates

The index template permissions are for indexes but apply globally to the cluster.

See Index templates.

  • indices:admin/index_template/delete
  • indices:admin/index_template/get
  • indices:admin/index_template/put
  • indices:admin/index_template/simulate
  • indices:admin/index_template/simulate_index

Index permissions

These permissions apply to an index or index pattern. You might want a user to have read access to all indexes (that is, *), but write access to only a few (for example, web-logs and product-catalog).

Permission Description
indices:admin/aliases Permissions for index aliases.
indices:admin/aliases/get Permission to get index aliases.
indices:admin/analyze Permission to use the Analyze API.
indices:admin/cache/clear Permission to clear cache.
indices:admin/close Permission to close an index.
indices:admin/close* Permission to close an index.
indices:admin/create Permission to create indexes.
indices:admin/data_stream/create Permission to create data streams.
indices:admin/data_stream/delete Permission to delete data streams.
indices:admin/data_stream/get Permission to get data streams.
indices:admin/delete Permission to delete indexes.
indices:admin/exists Permission to use exists query.
indices:admin/flush Permission to flush an index.
indices:admin/flush* Permission to flush an index.
indices:admin/forcemerge Permission to force merge indexes and data streams.
indices:admin/get Permission to get index and mapping.
indices:admin/mapping/put Permission to add new mappings and fields to an index.
indices:admin/mappings/fields/get Permission to get mappings fields.
indices:admin/mappings/fields/get* Permission to get mappings fields.
indices:admin/mappings/get Permission to get mappings.
indices:admin/open Permission to open an index.
indices:admin/plugins/replication/index/setup/validate Permission to validate a connection to a remote cluster.
indices:admin/plugins/replication/index/start Permission to start cross-cluster replication.
indices:admin/plugins/replication/index/pause Permission to pause cross-cluster replication.
indices:admin/plugins/replication/index/resume Permission to resume cross-cluster replication.
indices:admin/plugins/replication/index/stop Permission to stop cross-cluster replication.
indices:admin/plugins/replication/index/update Permission to update cross-cluster replication settings.
indices:admin/plugins/replication/index/status_check Permission to check the status of cross-cluster replication.
indices:admin/refresh Permission to use the index refresh API.
indices:admin/refresh* Permission to use the index refresh API.
indices:admin/resolve/index Permission to resolve index names, index aliases and data streams.
indices:admin/rollover Permission to perform index rollover.
indices:admin/seq_no/global_checkpoint_sync Permission to perform a global checkpoint sync.
indices:admin/settings/update Permission to update index settings.
indices:admin/shards/search_shards Permission to perform cross cluster search.
indices:admin/template/delete  
indices:admin/upgrade Permission for administrators to perform upgrades.
indices:admin/validate/query Permission to validate a specific query.
indices:data/read/explain Permission to run the Explain API.
indices:data/read/field_caps Permission to run the Field Capabilities API.
indices:data/read/field_caps* Permission to run the Field Capabilities API.
indices:data/read/get Permission to read index data.
indices:data/read/mget Permission to run multiple GET operations in one request.
indices:data/read/mget* Permission to run multiple GET operations in one request.
indices:data/read/msearch Permission to run multiple search requests into a single request.
indices:data/read/msearch/template Permission to bundle multiple search templates and send them to your Lucenia cluster in a single request.
indices:data/read/mtv Permission to retrieve multiple term vectors with a single request.
indices:data/read/mtv* Permission to retrieve multiple term vectors with a single request.
indices:data/read/plugins/replication/file_chunk Permission to check files during segment replication.
indices:data/read/plugins/replication/changes Permission to make changes to segment replication settings.
indices:data/read/scroll Permission to scroll data.
indices:data/read/scroll/clear Permission to clear read scroll data.
indices:data/read/search Permission to search data.
indices:data/read/search* Permission to search data.
indices:data/read/search/template Permission to read a search template.
indices:data/read/tv Permission to retrieve information and statistics for terms in the fields of a particular document.
indices:data/write/bulk Permission to run a bulk request.
indices:data/write/bulk* Permission to run a bulk request.
indices:data/write/delete Permission to delete documents.
indices:data/write/delete/byquery Permission to delete all documents that match a query.
indices:data/write/plugins/replication/changes Permission to change data replication configurations and settings within indexes.
indices:data/write/index Permission to add documents to existing indexes. See also Index document.
indices:data/write/reindex Permission to run a reindex.
indices:data/write/update Permission to update an index.
indices:data/write/update/byquery Permission to run the script to update all of the documents that match the query.
indices:monitor/data_stream/stats Permission to stream stats.
indices:monitor/recovery Permission to access recovery stats.
indices:monitor/segments Permission to access segment stats.
indices:monitor/settings/get Permission to get mointor settings.
indices:monitor/shard_stores Permission to access shard store stats.
indices:monitor/stats Permission to access monitoring stats.
indices:monitor/upgrade Permission to access upgrade stats.

Security REST permissions

Allowing access to these endpoints has the potential to trigger operational changes in the cluster. Proceed with caution.

The following REST API permissions control access to the endpoints. Granting access to any of these APIs allows a user to change fundamental operational components of the Security plugin:

  • restapi:admin/actiongroups
  • restapi:admin/allowlist
  • restapi:admin/internalusers
  • restapi:admin/nodesdn
  • restapi:admin/roles
  • restapi:admin/rolesmapping
  • restapi:admin/ssl/certs/info
  • restapi:admin/ssl/certs/reload
  • restapi:admin/tenants