Unable to set permissions for PUT index_template

I’m using ODFE 1.12 and I’m trying to set permissions for the new ES templates APIs (PUT _component_template, PUT _index_template).

I wasn’t able to find the exact permissions, that should be:

  • indices:admin/component_template/put
  • indices:admin/index_template/put

I also tried different combinations of action groups (e.g. cluster_all, indices_all) but I always get the following error:

no permissions for [indices:admin/index_template/put]

The only way I found to make this work is to give admin-like permissions (*).

Is there something I am missing or there are missing permissions in ODFE?

Thanks. Best regards.

You could first create a new action group, let’s say “template-admin”:
And you give the action group indices:admin/index_template/put and any other permission that might become necessary:

Then you can create a new role (or update existing role). Where you add the index_patterns that you want the role to be able to manage, you must also add the template-admin to the allowed_actions .

After that you must make sure that your user is mapped to that role.

Hi @alex, did you manage to get it working using the above instructions?

Hi Anthony,
thanks for checking, I had no time yet to test this.

Hi @Anthony @oscark

I tried this

unfortunately, creation and usage of a new action group didn’t help

adding indices:admin/index_template/put (and indices:admin/index_template/* at all) on “cluster” level doesn’t change anything, and when we add this permission on index level (index_permissions works only when we put index_patterns: ["*"]. If i put index pattern to name of the index which is specified in index patterns inside the template, or to name of the template i want to create, I still get no permissions for no permissions for [indices:admin/index_template/put] ).

What index permissions should i put there?

Is there any chance that validation of this permission will be moved on cluster-level (saying if I put indices:admin/index_template/put on cluster_permissions, it will be validated properly as it is done for legacy index templates?

Should I create an issue on GitHub? I can provide more information there with steps to reproduce and expeted/actual behavior

for template components it works fine, we can define permissions on cluster-level:

PUT _opendistro/_security/api/roles/my_role_create_component_template
  "cluster_permissions": ["cluster:admin/component_template/put"
  "index_permissions": [],
  "tenant_permissions": []

works fine

@NovikovEvgeny i’m also hitting the same symptoms on AWS OpenSearch Service 1.0.

Was this resolved for you or otherwise raised on Github?