[BUG] do_not_fail_on_forbidden_empty does not work for cat api

[jezsy]

What is the bug?
Setting do_not_fail_on_forbidden to true does not seem to have any impact on some APIs like cat/_indices and cat/_aliases - the whole operation is rejected even if indices exist for which the user has access to.

_cat/indices/some-index-* would work, but not _cat/indices because it include internal indices which the user does not permission for.

Adding permissions under index_patterns: '*' can make them work, but I think this defeats the purpose of having the do_not_fail_on_forbidden parameter.

How can one reproduce the bug?
Steps to reproduce the behavior:
roles.yml

my_user:
  cluster_permissions:
    - "cluster_monitor"
    - "cluster_manage_index_templates"
  index_permissions:
  - index_patterns:
    - "some-index-*"
    allowed_actions:
      - "read"
      - "write"
      - "create_index"
      - "manage"

config.yml

config:
  dynamic:
    do_not_fail_on_forbidden: true
    do_not_fail_on_forbidden_empty: true
    ...

Error for GET _cat/indices

        "type" : "security_exception",
        "reason" : "no permissions for [indices:monitor/settings/get] and User [name=my_user, backend_roles=[], requestedTenant=null]"

Error for GET _cat/aliases

        "type" : "security_exception",
        "reason" : "no permissions for [indices:admin/aliases/get] and User [name=my_user, backend_roles=[], requestedTenant=null]"

Both of these permissions should be covered under the manage default_action_group, but the operations only work when targeted specifically to the index, so do_not_fail_on_forbidden does not seem to be working as intended.

What is the expected behavior?
do_not_fail_on_forbidden should work similarly for all APIs, where results are filtered based only on the indices that the user has permissions for.

What is your host/environment?

• Version OpenSearch 1.2.3
• Plugins OpenSearch Security 1.2.3.0

[peternied]

Thanks for filing @jezsy, I am having trouble reproducing the issue with /_search. As that data might be sensitive, could you email me directly at petern@amazon.com? Sending the security-auditlog-* log entries and dump of security configuration will be needed to dive into this further.

[jezsy]

Hi @peternied. Apologies for the late response. Upon further tests, it seems my claim about /_search was wrong. kibana_1 was appearing in the results because I had my user mapped to the kibana_user role as well (was doing tests on the Dashboards Dev Tools), which had permissions for the kibana indices. So do_not_fail_on_forbidden works as intended for _search

In that case, the main issue now is just extending usage of parameters do_not_fail_on_forbidden and do_not_fail_on_forbidden_empty to other APIs like _cat (e.g. indices, aliases, shards, maybe more)

[jezsy]

Similarly, I think the two parameters should also apply to GET _alias and GET _aliases. At the moment, the whole operation is rejected instead of just filtering for those indices which the user does have permission for, even if the parameters are configured true

[peternied]

Thanks for updating us on this issue, we have added this issue into items to be looked at so thank you very much for contributing to this project by filing. Please feel free to open a pull request if you've got recommendations for this or other features.