I’ve got a backend role (iam role from aws), let’s call it my-role
I’ve mapped the predefined role readall_and_monitor
to backend_role my-role
Double checking the permissions of readall_and_monitor
shows that it has the action group cluster_composite_ops_ro
which includes the allowed action indices:admin/aliases/get*
. I should note that the actiongroup and role are both predefined and have not been modified.
However, when I make a request to {my-cluster}/_cat/aliases?format=json&h=alias
I get the below error, when the user explicitly does have that permission:
"type": "security_exception",
"reason": "no permissions for [indices:admin/aliases/get]
and User [name=arn:aws:iam::*:role/my-role,
backend_roles=[arn:aws:iam::*:role/my-role],
requestedTenant=null]"
I would assume that [indices:admin/aliases/get*]
would include [indices:admin/aliases/get]
to verify, I got the current settings, and responses were:
GET .../rolesmapping
"readall_and_monitor": {
...
"backend_roles": [
"arn:aws:iam::*:role/my-role"
]...
}
GET .../roles
"readall_and_monitor": { ...
"cluster_permissions": [
"cluster_monitor",
"cluster_composite_ops_ro"
],
"index_permissions": [{
"index_patterns": [ "*" ],
"fls": [], "masked_fields": [],
"allowed_actions": [ "read", "indices_monitor" ]
}], "tenant_permissions": [], ...
}
GET .../actiongroups
"cluster_composite_ops_ro": {
...
"allowed_actions": [
"indices:data/read/mget", "indices:data/read/msearch",
"indices:data/read/mtv", "indices:admin/aliases/exists*",
"indices:admin/aliases/get*", "indices:data/read/scroll"
],
"type": "cluster",
"description": "Allow readonly bulk and m* operations",
"static": false
}
from the above 3 requests, it looks like the user should have the required permissions that the error message says it doesn’t have.