Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Missing permission: cluster:admin/opendistro/ad/detector/info #336

Open
Ricaz opened this issue Dec 7, 2020 · 3 comments
Open

Missing permission: cluster:admin/opendistro/ad/detector/info #336

Ricaz opened this issue Dec 7, 2020 · 3 comments

Comments

@Ricaz
Copy link

Ricaz commented Dec 7, 2020

When creating a detector in Anomaly Detection, I get and error that I don't have permissions for "[cluster:admin/opendistro/ad/detector/info]".

I have a role containing these cluster permissions:

  • cluster:admin/opendistro/ad/detector/delete
  • cluster:admin/opendistro/ad/detector/jobmanagement
  • cluster:admin/opendistro/ad/detector/run
  • cluster:admin/opendistro/ad/detector/search
  • cluster:admin/opendistro/ad/detector/stats
  • cluster:admin/opendistro/ad/detector/write
  • cluster:admin/opendistro/ad/result/search
  • cluster:admin/opendistro/ad/detectors/get

When I go to add the missing permission to the role, the GUI says it doesn't exist (can't auto-complete in the Cluster Permissions field).

What gives? Do I need to run securityadmin.sh again, and will that override my current configuration?
@Ricaz
Copy link
Author

Ricaz commented Dec 7, 2020
edited
Loading

I was able to add the permission to my role through the API, but I still think the permission should be auto-completeable.
Also, why is one of them called /detectors while the rest are /detector?

The API didn't work as documented, though. I used the PATCH _opendistro/_security/api/roles/<role> API, which for some ungodly reason wants a raw JSON array without enclosing {} braces.
I sent:

PATCH _opendistro/_security/api/roles/anomaly_detectors
[
  {
    "op": "add", "path": "/cluster_permissions", "value": ["cluster:admin/opendistro/ad/detector/info"]
  }
]

But this removed all the other permissions. I had to include them all in the API request.
Also a bit annoying that the Dev Tools console treats PATCH as a syntax error.

@vrozov vrozov transferred this issue from opensearch-project/security Dec 18, 2020
@saratvemulapalli
Copy link
Contributor

Taking a look..
Can you add create a role with "cluster:admin/opendistro/ad/detector/info" cluster permissions?
You can do something like and map the user to the role:
curl -XPUT -u admin:admin --insecure https://localhost:9200/_opendistro/_security/api/roles/ad_all_access -H 'Content-Type:application/json' -d'{ "cluster_permissions": [ "cluster:admin/opendistro/ad/detector/info", "cluster_monitor" ], "index_permissions": [ { "index_patterns": [ "*" ], "dls": "", "fls": [], "masked_fields": [], "allowed_actions": [ "indices_monitor", "indices:admin/aliases/get", "indices:admin/mappings/get" ] } ], "tenant_permissions": [] }'

I see we didnt add the new info API into the security UI.
I'll send out a PR to take care of that.

@saratvemulapalli
Copy link
Contributor

PR: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/pull/653

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ricaz @saratvemulapalli