getPatternList error with read-only users in a particular tenant

[asteriscos]

Wazuh	Rev	Browser
4.9.0	xyzw	Chrome, Firefox, Safari, etc

Description
Some requests to the endpoint api/saved_objects/_find?type=index-pattern&fields=title&fields=fields&per_page=9999 fail with the error:

no permissions for [indices:data/read/search] and User [name=testuser, backend_roles=[], requestedTenant=null]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User [name=testuser, backend_roles=[], requestedTenant=null]

This happens to users that have read-only permissions to a specific tenant, like in the following configuration:

Details

In opensearch_dashboards.yml enable multi-tenancy:

opensearch_security.multitenancy.enabled: true

Create a new read-only user with permissions in a particular tenant

Load a dashboard (or any view with visualizations) and check the browser dev-tools for security exceptions:

[Desvelao]

I could replicate the problem.

I noticed the error related to getting the index pattern list through an API request, returns the http code 403 while the global tenant was selected despite the user has no permission on this tenant.

I switched the tenant to the configured that the user should have permissions and I got the same response in the realted API requests.

Other requests seem not to return that error

Then, I refreshed the page and the related API request had 200 http code.

I am researching where the tenant information is saved. I guess this could be encoded in the security_authenticat cookie, but I could not find how this is encoded and what information is included.

EDIT: It seems the error sometimes happens.

[guidomodarelli]

I am researching where the tenant information is saved. I guess this could be encoded in the security_authentication cookie, but I could not find how this is encoded and what information is included.

security_authentication:
Reference: https://github.com/hapijs/iron/blob/master/lib/index.js#L236

{
  username: 'user-ro',
  credentials: {
    authHeaderValue: 'Basic dXNlci1ybzomVXFZSiZCJkhGM0pkWkt6NzR5c3hjJFdmUiRmc1BjOA=='
  },
  authType: 'basicauth',
  isAnonymousAuth: false,
  expiryTime: 1732046561826,
  tenant: 'test_tenant'
}

server    log   [19:02:42.442] [error][data][opensearch] [security_exception]: no permissions for [indices:data/read/search] and User [name=user-ro, backend_roles=[], requestedTenant=null]

A 403 error is captured even though the browser shows that all requests were successful with a statusCode of 200.

Reference: https://github.com/wazuh/wazuh-dashboard/blob/4e34a7a5141d089f6c341a535be5a7ba2737d965/src/core/server/http/router/response_adapter.ts#L95

https://github.com/user-attachments/assets/7e325943-f3b1-4e29-a4a4-3ca99ff6989e

[Desvelao]

I found the client to do the request to get the saved objects of the index patterns has data about the selected tenant.

• See: https://github.com/opensearch-project/OpenSearch-Dashboards/blob/2.16.0/src/core/server/saved_objects/service/lib/repository_opensearch_client.ts#L60

The security tenant seems to be stored in:

client[Object.getOwnPropertySymbols(client)[11]].headers.securitytenant

I assume the problem could be related to the client that does the API request to the Wazuh indexer has no information about the selected tenant for some reason. Maybe the security_authentication cookie has no information about the selected tenant and causes this creates a client without tenant information. This was not checked because the error randomly happens.

[JuanGarriuz]

Test on 4.10.2

Login as usually

In global tenant

no permissions for [indices:data/read/search] and User [name=test-read-only, backend_roles=[], requestedTenant=]: security_exception: [security_exception] Reason: no permissions for [indices:data/read/search] and User [name=test-read-only, backend_roles=[], requestedTenant=]

On test-tenant

Conclusions

When it loads for the first time, it shows an error message; subsequent times, it loads correctly.

Grabacion.2024-12-02.123459.mp4