Issue with permissions for monitor creation

Hi all

I have AWS Elasticsearch cluster (version 7.7) with RBAC enabled. Currently there are 2 role mappings:

  • ‘admin’ IAM role is mapped to ‘all_access’ Opendistro role (built-in)
  • ‘developers’ IAM role is mapped to ‘developers’ Opendistro role (created by me)

Developers group should have limited permissions, that are based on DLS, and I managed to configure that.

But also I want ‘developers’ group to be able to create monitors. And it seems that no matter what permissions I give to this group, it can’t do it.

For example, I copied permissions from ‘all_access’ role to ‘developers’ role, so below requests return almost the same JSON:

GET _opendistro/_security/api/roles/all_access
GET _opendistro/_security/api/roles/developers

Then I tried to create monitor using dev tools:

POST _opendistro/_alerting/monitors
{
“type”: “monitor”,
“name”: “monitor1”,
“enabled”: true,
“schedule”: {
“period”: {“interval”: 1, “unit”: “MINUTES”}
},
“inputs”: [
{
“search”: {
“indices”: [“test123-*”],
“query”: {
“size”: 0,
“aggregations”: {},
“query”: {“query_string”: {“query”: “log:error AND timestamp:[now-5m TO now]”}}
}
}
}
]
}

But got following error:

{
“error” : {
“root_cause” : [
{
“type” : “security_exception”,
“reason” : “no permissions for and User [name=Cognito/…/user1, backend_roles=[arn:aws:iam::…:role/…_developers], requestedTenant=user]”
}
],
“type” : “security_exception”,
“reason” : “no permissions for and User [name=Cognito/…/user1, backend_roles=[arn:aws:iam::…:role/…_developers], requestedTenant=user]”
},
“status” : 403
}

When I’m using ‘Alerting’ part of Kibana interface to create an alarm, there is no error, but I still can’t create it - just nothing happens when I press ‘Create’ button.

Once I map ‘developers’ IAM role to ‘all_access’, everything works as expected.

So, it seems that only way to create monitor is to map IAM role to ‘all_access’ ES role.
I’d appreciate any help to figure out how to do it without using ‘all_access’ role.
Thanks.

1 Like

Exactly the same issu for me. Impossible to create monitor without give ‘all_access’ to my user.
I think something is missing :frowning:

Thanks !

Adrien

Even I am seeing the same thing. Is there a way at all without giving all_access?

Hi All, adding the new role to the below line in elasticsearch.yml file fixed it for me

opendistro_security.restapi.roles_enabled: [“all_access”,… “new_role”]

You can further tweak the dis/allowed actions for the role, see docs here

Hope this helps