Security Issue: No permissions for [indices:admin/resolve/index]

Security
#1

Hello everyone I use Opendistro release 1.10.1. Now I have defined two internal users (alice and bob). I have also defined roles for bob and alice.
For example:

roles:

autos:
reserved: false
index_permissions:
- index_patterns:
- “autos”
allowed_actions:
- indices_all

and then rolles mapping:

autos:
reserved: false
users:

  • “bob”
    backend_roles:
  • “autos”

Log-In work fine for bob, but if user bob tries to create index pattern, so we get the following error message in the log:

[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No index-level perm match for User [name=alice, backend_roles=[telefonbuch, kibanauser, kibana_sample_data_flights], requestedTenant=null] Resolved [aliases=[], allIndices=[], types=[], originalRequested=[], remoteIndices=] [Action [indices:admin/resolve/index]] [RolesChecked [telefonbuch, own_index, kibana_user, kibana_sample_data_flights]]
[2020-10-16T09:46:31,464][INFO ][c.a.o.s.p.PrivilegesEvaluator] [MDXN00108248] No permissions for [indices:admin/resolve/index]

Why I get this error message. I have checked roles definitions, user mapping, etc. but I get this error again.
What is my mistake? What I do wrong?

Thanks

1 Like
#2

I am having same issue , moreover users can’t create indices they’ve access, they can only view what was created prior to upgrade .

I really appreciate help on this issue.

#3

I also have this issue. I update last week from 1.9 to 1.10. This seems to be a new “feature” in 1.10. I guess users could be given access to
indices:admin/resolve/index but I don’t know what it does. It does not seem to be documented either in https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/permissions/

#4

This is how I have understood the problem, please correct me if I’m wrong.
There seems to be an open issue about this:


So the reason seems that Kibana got updated to support other things than indices: https://github.com/elastic/kibana/pull/70271 and therefore started to use the resolve API https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-resolve-index-api.html

The easy way to fix this would be to add "index_permission": [ { "index_patterns": [ "*" ], "allowed_actions": [ "indices:admin/resolve/index" ] } ] to a role that all Kibana users have access to. The downside of this is that all users that have access to this role can see the name of all indices in the cluster this includes the Kibana-user/tenant indices.