11

I'm running into the weirdest permission issue for _msearch.

When running simple _search with the same query, everything runs perfectly.

POST /job/_search

{"query":{"bool":{"must":[{"bool":{"must":{"bool":{"should":[{"multi_match":{"query":"s","fields":["title"],"type":"best_fields","operator":"or","fuzziness":2}},{"multi_match":{"query":"s","fields":["title"],"type":"phrase","operator":"or"}},{"multi_match":{"query":"s","fields":["title"],"type":"phrase_prefix","operator":"or"}}],"minimum_should_match":"1"}}}}]}},"size":10,"_source":{"includes":["*"],"excludes":[]}}

When running it with _msearch I get the permission error

POST /job/_msearch

{}
{"query":{"bool":{"must":[{"bool":{"must":{"bool":{"should":[{"multi_match":{"query":"s","fields":["title"],"type":"best_fields","operator":"or","fuzziness":2}},{"multi_match":{"query":"s","fields":["title"],"type":"phrase","operator":"or"}},{"multi_match":{"query":"s","fields":["title"],"type":"phrase_prefix","operator":"or"}}],"minimum_should_match":"1"}}}}]}},"size":10,"_source":{"includes":["*"],"excludes":[]}}

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "no permissions for [indices:data/read/msearch] and User [name=public_api, backend_roles=[], requestedTenant=null]"
            }
        ],
        "type": "security_exception",
        "reason": "no permissions for [indices:data/read/msearch] and User [name=public_api, backend_roles=[], requestedTenant=null]"
    },
    "status": 403
}

Here are my permissions in Kibana:

enter image description here

I am running an OpenDistro in AWS ElasticSearch Service.

Bolein95
  • 2,947
  • 2
  • 26
  • 31

3 Answers3

13

I have solved the above permission problem using the following steps

  • Login to Kibana using admin or user with higher previledges

  1. Click security option

    Step

  2. Click roles option and then select the desired role for your user based on your requirement. In my case, the user requires all access so selected all_access role

  3. Click Mapped users then click Manage mapping option.

  4. In the Users section type/paste the IAM-arn/internal-user and then press enter

  5. Finally, click the map

That's all, the user will be mapped to the role and corresponding permissions, thereafter you will not face the permission issue mentioned in the question

enter image description here

Prasanth Rajendran
  • 4,570
  • 2
  • 42
  • 59
4

Fixed by setting the following cluster permissions:

enter image description here

Bolein95
  • 2,947
  • 2
  • 26
  • 31
2

I solved this by not using fine-grained access control.

Wesley Cheek
  • 1,058
  • 12
  • 22