[BUG]Permission issue on AWS managed Opensearch 2.7 Indices search bar under Index Management.

[Its-Ankush]

Describe the bug
This issue is related to AWS managed Opensearch 2.7 where FGAC is enabled. Im creating 3 indices by the name index, index1 and index2. I use my own custom role "read_only_certain" [I will share it below]. I have index patterns as index, index1 as shown below in the image

When I search for the index name index in the search bar under Index Management > Indices, it shows me [security_exception] no permissions for [indices:monitor/settings/get] and User [name=abc, backend_roles=[], requestedTenant=] however when I search for the index index1, it does appear. I think this can be a bug

To Reproduce
Steps to reproduce the behavior:

1. Create the following role and assign it to an internal user-

PUT _opendistro/_security/api/roles/read_only_certain
{
  "cluster_permissions": [
    "cluster_composite_ops_ro",
    "cluster_monitor",
    "read"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "index",
        "index1"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "read",
        "indices_monitor",
        "indices:admin/get"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_write"
      ]
    }
  ]
}

3. Login to that user and go to Index Management > Indices and search for the above indices as mentioned

4. See error
   When I search for index
   

When I search for index1

Expected behavior
The expected behaviour is that I should be able to see the index as well and not just index1

Plugins
Im using FGAC opensearch-security plugin

Screenshots
Shared above

Host/Environment (please complete the following information):

• OS: MacOS
• Version: AWS Managed Opensearch 2.7

Additional context

This only happens when I use names like index and index1 . The string "index" is contained in other string "index1" so maybe there is something related to that.

This is the request that Opensearch builds when i search for index1

https://search-abc-es.amazonaws.com/_dashboards/api/ism/_indices?from=0&size=20&search=index1&sortField=index&sortDirection=desc&showDataStreams=false&terms=index1&=&=

Response

{"ok":true,"response":{"indices":[{"health":"green","status":"open","index":"index1","uuid":"fzTUjTcZT7m0hKF0TeVXGg","pri":"5","rep":"1","docs.count":"0","docs.deleted":"0","store.size":"2kb","pri.store.size":"1kb","data_stream":null,"extraStatus":"open","managed":"Yes","managedPolicy":"N/A"}],"totalIndices":1}}

This is the request that Opensearch builds when i search for index

https://search-abc-es.amazonaws.com/_dashboards/api/ism/_indices?from=0&size=20&search=index&sortField=index&sortDirection=desc&showDataStreams=false&terms=index&=&=

Response

{"ok":false,"error":"[security_exception] no permissions for [indices:monitor/settings/get] and User [name=abc, backend_roles=[], requestedTenant=]"}

Edit - Its important to note that both of the below works

GET _cat/indices/index
GET _cat/indices/index1

[Its-Ankush]

Can anyone please share some inputs ?

[dblock]

Sorry for checking in so late. Were you able to figure out this issue?

Is this only a problem on AWS? If so, could you please open a ticket with AWS and close the issue here?

[Triage -- attendees 1, 2, 3, 4, 5, 6, 7]

[Its-Ankush]

I will test it today in the open source version as well and will then close if its related to AWS :)

Thank you Daniel

[Its-Ankush]

@dblock I can confirm that this is present in the Open Source version as well. Using v 2.14.0 to reproduce this and looks like this is an issue with how the dashboards is sending the search request.

[cwperks]

@Its-Ankush Do you have other indices in the cluster that would match the index* pattern? I would need to read the code, but I believe this page is making a GET {index_name}/_settings call for all indices in the cluster with the prefix index. The role definition you posted only grants permission to index and index1. If you have another index in the cluster like index2, that role would not grant permission for GET {index_name}/_settings

[cwperks]

When filtering indices, its using this handler: https://github.com/opensearch-project/index-management-dashboards-plugin/blob/main/server/services/IndexService.ts#L62-L103

Part of that handler is a call to GET _cat/indices and that's the call that's failing since the role only has access to some (but not all indices)

Same error message from the issue description here: opensearch-project/security#1815