Security Issue: No permissions for [indices:admin/resolve/index]

Alexander · October 16, 2020, 8:16am

Hello everyone I use Opendistro release 1.10.1. Now I have defined two internal users (alice and bob). I have also defined roles for bob and alice.
For example:

roles:

autos:
reserved: false
index_permissions:
- index_patterns:
- “autos”
allowed_actions:
- indices_all

and then rolles mapping:

autos:
reserved: false
users:

“bob”
backend_roles:
“autos”

Log-In work fine for bob, but if user bob tries to create index pattern, so we get the following error message in the log:

[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No index-level perm match for User [name=alice, backend_roles=[telefonbuch, kibanauser, kibana_sample_data_flights], requestedTenant=null] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=] [Action [indices:admin/resolve/index]] [RolesChecked [telefonbuch, own_index, kibana_user, kibana_sample_data_flights]]
[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No permissions for [indices:admin/resolve/index]

Why I get this error message. I have checked roles definitions, user mapping, etc. but I get this error again.
What is my mistake? What I do wrong?

Thanks

tru64jurus · October 16, 2020, 1:28pm

I am having same issue , moreover users can’t create indices they’ve access, they can only view what was created prior to upgrade .

I really appreciate help on this issue.

oscark · October 19, 2020, 8:58am

I also have this issue. I update last week from 1.9 to 1.10. This seems to be a new “feature” in 1.10. I guess users could be given access to
indices:admin/resolve/index but I don’t know what it does. It does not seem to be documented either in https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/permissions/

oscark · October 19, 2020, 12:35pm

This is how I have understood the problem, please correct me if I’m wrong.
There seems to be an open issue about this:

So the reason seems that Kibana got updated to support other things than indices: https://github.com/elastic/kibana/pull/70271 and therefore started to use the resolve API https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-resolve-index-api.html

The easy way to fix this would be to add "index_permission": [ { "index_patterns": [ "*" ], "allowed_actions": [ "indices:admin/resolve/index" ] } ] to a role that all Kibana users have access to. The downside of this is that all users that have access to this role can see the name of all indices in the cluster this includes the Kibana-user/tenant indices.

amkgi · November 9, 2020, 6:03pm

I have this problem too. But I use multi-tenancy and I want that users can create theirs index patterns themselves in Kibana. They can’t do this because they haven’t this permission (indices:admin/resolve/index). Most important that users must not see other indexes which not include theirs roles. Have you any idea how do this without this permission?

Aklein · November 13, 2020, 1:23pm

Same issue here, i tried to create an new action group with indices:admin/resolve/index and add it as a cluster permission, it doesn’t work.

If i try at indice level indices:admin/resolve/index is not in the list

(I upgraded this morning in 1.11)

samuel.lima · December 10, 2020, 1:09pm

Hi folks,
Could you solve it?
I’m facing the same problem:

2020-12-10T10:00:16,726][INFO ][c.a.o.s.p.PrivilegesEvaluator] [ubuntu-VirtualBox] No index-level perm match for User [name=mary help, backend_roles=[elastic.car], requestedTenant=null] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=] [Action [indices:admin/resolve/index]] [RolesChecked [own_index, kibana_user, car]]
[2020-12-10T10:00:16,727][INFO ][c.a.o.s.p.PrivilegesEvaluator] [ubuntu-VirtualBox] No permissions for [indices:admin/resolve/index]

Thank you

jshrue · December 22, 2020, 11:58pm

Hey all, although the permission does not appear in the console and cannot be added that way, you can add it via the API. Here I’m adding indices_all permission to the actual index pattern “test*” and the “indices:admin/resolve/index” permission to everything (*). Not ideal, but this seems to work.

PUT _opendistro/_security/api/roles/js-test
{
    "cluster_permissions" : [ ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "test*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices_all"
        ]
      },
      {
        "index_patterns" : [
          "*"
        ],
        "dls" : "",
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "indices:admin/resolve/index"]
      }
    ],
    "tenant_permissions" : [
      {
        "tenant_patterns" : [
          "global_tenant"
        ],
        "allowed_actions" : [
          "kibana_all_read"
        ]
      }
    ]
}