1

I want to fetch documents form an opensearch index with read_only permissions using the Scroll API. I tried these permissions for my role

indices:data/read/scroll/clear
indices:data/read/scroll
read

and

read

But when I run (using the python sdk):

self.client.clear_scroll(scroll_id=scroll_ids_str)

when the opensearch package tries to run

return self.transport.perform_request(
            "DELETE", "/_search/scroll", params=params, headers=headers, body=body
        )

I get this autorization error as a warning:

AuthorizationException(403, 'security_exception', {'error': {'root_cause': [
  {'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}], 
 'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}, 'status': 403})

Note that I explicitly added the suggested permission to my role. Also, I can successfully fetch all the desired documents, but I do not like that the warning suggests that I am not cleaning up some resources.

QUESTION: How do I successfully delete the scroll context with read only permissions?

Version: opensearch-py==2.2.0

Rgkpdx
  • 257
  • 1
  • 9
  • 1
    Cluster level permissions? Is the requested tenant intentionally null? Does the original scroll operation itself work when you use `indices:data/read/scroll` ? I think it's related to being unable to perform the DELETE request. Take a look at: https://forum.search-guard.com/t/query-regarding-scroll-and-clear-permission/2026 – jtlz2 Jul 27 '23 at 20:01

1 Answers1

1

Scrolling is good because there is a 10k document-retrieval limit otherwise that can only be up-configured server-side.

But OS/ES permissions are a bit fiddly to get right, as I'm sure you know already. The opensearch python documentation is also slightly disparate.

For reference there's a complete list here: https://opensearch.org/docs/latest/security/access-control/permissions

In your specific case I came across the following helpful thread:

https://forum.search-guard.com/t/query-regarding-scroll-and-clear-permission/2026

So you should be able to add

indices:data/read/scroll/clear

to your cluster-level permissions. I think that's because in REST speak the DELETE operation has the same citizenship as GET, POST etc. so requires a bit more attention. You can test this out in the OS console sandbox but I can see why you might be nervous to test out DELETE operations there.

Don't forget that in general index permissions usually need some (parent) cluster permissions i.e. one higher.

Also in general OS/ES permissions are very restrictive by default (but include RBAC and multi-tenancy), unless you start putting * everywhere. For the sake of others this is another hierarchical example where index-level permissions need to be activated by specifying to which indices/indexes they apply. The granularity even extends to the document field level. The corollary is the need for specificity. Don't be tempted to start putting * everywhere! :)

Have fun and good luck!

jtlz2
  • 7,700
  • 9
  • 64
  • 114