在OpenSearch/ElasticSearch中清除只读权限的滚动数据。

huangapple go评论107阅读模式
英文:

Clear scroll in OpenSearch/ElasticSearch with read only permission

问题

我想使用Scroll API从一个拥有只读权限的opensearch索引中获取文档。我尝试了为我的角色添加以下权限:

indices:data/read/scroll/clear
indices:data/read/scroll
read

read

但是当我运行以下代码(使用Python SDK):

self.client.clear_scroll(scroll_id=scroll_ids_str)

当opensearch包尝试运行以下代码时:

return self.transport.perform_request(
            "DELETE", "/_search/scroll", params=params, headers=headers, body=body
        )

我收到了以下授权错误作为警告:

AuthorizationException(403, 'security_exception', {'error': {'root_cause': [
  {'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}], 
 'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}, 'status': 403})

请注意,我明确将建议的权限添加到了我的角色中。此外,我可以成功地获取所有所需的文档,但我不喜欢这个警告提示我没有清理一些资源。

问题:如何在只读权限下成功删除滚动上下文?

版本:opensearch-py==2.2.0

英文:

I want to fetch documents form an opensearch index with read_only permissions using the Scroll API. I tried these permissions for my role

indices:data/read/scroll/clear
indices:data/read/scroll
read

and

read

But when I run (using the python sdk):

self.client.clear_scroll(scroll_id=scroll_ids_str)

when the opensearch package tries to run

return self.transport.perform_request(
            "DELETE", "/_search/scroll", params=params, headers=headers, body=body
        )

I get this autorization error as a warning:

AuthorizationException(403, 'security_exception', {'error': {'root_cause': [
  {'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}], 
 'type': 'security_exception', 'reason': 'no permissions for [indices:data/read/scroll/clear] and User [name=arn:aws:iam::<AWSID>:user/<NAME>, backend_roles=[], requestedTenant=null]'}, 'status': 403})

Note that I explicitly added the suggested permission to my role. Also, I can successfully fetch all the desired documents, but I do not like that the warning suggests that I am not cleaning up some resources.

QUESTION: How do I successfully delete the scroll context with read only permissions?

Version: opensearch-py==2.2.0

答案1

得分: 1

滚动很好,因为否则有一个10k的文档检索限制,只能在服务器端进行配置。

但是操作系统/搜索引擎权限有点棘手,我相信你已经知道了。opensearch python文档也有点零散。

供参考的是这里有一个完整的列表:https://opensearch.org/docs/latest/security/access-control/permissions

在您的特定情况下,我找到了以下有用的帖子:

https://forum.search-guard.com/t/query-regarding-scroll-and-clear-permission/2026

所以您应该能够添加

indices:data/read/scroll/clear

到您的集群级权限。我 认为 这是因为在REST中,DELETE操作与GET、POST等具有相同的地位,因此需要更多的关注。您可以在OS控制台沙箱中测试这一点,但我可以理解为什么您可能会不敢在那里测试DELETE操作。

不要忘记一般情况下,索引权限通常需要一些(父级)集群权限,即更高级别的权限。

此外,一般情况下,操作系统/搜索引擎的权限默认非常严格(但包括RBAC和多租户),除非您开始在各处放置 *。为了其他人的利益,这是另一个分层示例,索引级别的权限需要通过指定它们适用于哪些索引/索引来激活。粒度甚至延伸到文档字段级别。其必要性在于具体性。不要诱惑自己到处放置 *在OpenSearch/ElasticSearch中清除只读权限的滚动数据。

玩得开心,祝你好运!

英文:

Scrolling is good because there is a 10k document-retrieval limit otherwise that can only be up-configured server-side.

But OS/ES permissions are a bit fiddly to get right, as I'm sure you know already. The opensearch python documentation is also slightly disparate.

For reference there's a complete list here: https://opensearch.org/docs/latest/security/access-control/permissions

In your specific case I came across the following helpful thread:

https://forum.search-guard.com/t/query-regarding-scroll-and-clear-permission/2026

So you should be able to add

indices:data/read/scroll/clear

to your cluster-level permissions. I think that's because in REST speak the DELETE operation has the same citizenship as GET, POST etc. so requires a bit more attention. You can test this out in the OS console sandbox but I can see why you might be nervous to test out DELETE operations there.

Don't forget that in general index permissions usually need some (parent) cluster permissions i.e. one higher.

Also in general OS/ES permissions are very restrictive by default (but include RBAC and multi-tenancy), unless you start putting * everywhere. For the sake of others this is another hierarchical example where index-level permissions need to be activated by specifying to which indices/indexes they apply. The granularity even extends to the document field level. The corollary is the need for specificity. Don't be tempted to start putting * everywhere! 在OpenSearch/ElasticSearch中清除只读权限的滚动数据。

Have fun and good luck!

huangapple
  • 本文由 发表于 2023年7月27日 20:23:53
  • 转载请务必保留本文链接:https://go.coder-hub.com/76779713.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定