I definitely appreciate documentation improvements.
So I've spent some more time trying to track down the problem Wyllys started to bring up yesterday.
I'm creating a new index, roles, and role mappings, all as an administrative user:
PUT /fd-sp-57feef3fb471-f4634ddd017a
{...}
PATCH /_searchguard/api/roles
[{'op': 'add',
'path': '/fd-sp-57feef3fb471-f4634ddd017a-reader',
'value': {'cluster': ['CLUSTER_COMPOSITE_OPS_RO'],
'indices': {'fd-sp-57feef3fb471-f4634ddd017a': {'*': ['READ',
'SEARCH']}}}},
{'op': 'add',
'path': '/fd-sp-57feef3fb471-f4634ddd017a-modifier',
'value': {'cluster': ['CLUSTER_COMPOSITE_OPS'],
'indices': {'fd-sp-57feef3fb471-f4634ddd017a': {'*': ['INDICES_ALL']}}}}]
PATCH /_searchguard/api/rolesmapping
[{'op': 'add',
'path': '/fd-sp-57feef3fb471-f4634ddd017a-reader',
'value': {'backendroles': [], 'hosts': ['*'], 'users': []}},
{'op': 'add',
'path': '/fd-sp-57feef3fb471-f4634ddd017a-modifier',
'value': {'backendroles': [], 'hosts': ['*'], 'users': []}}]
I then add a user to both role mappings:
PATCH /_searchguard/api/rolesmapping/fd-sp-57feef3fb471-f4634ddd017a-reader
[{'op': 'add',
'path': '/users/-',
'value': 'b900c1bd-531b-484f-8e41-e52ee3486740'}]
PATCH /_searchguard/api/rolesmapping/fd-sp-57feef3fb471-f4634ddd017a-modifier
[{'op': 'add',
'path': '/users/-',
'value': 'b900c1bd-531b-484f-8e41-e52ee3486740'}]
Using /_bulk to load data into this index then fails with a 403 Forbidden response bearing this message:
no permissions for [indices:admin/refresh] and User [name=b900c1bd-531b-484f-8e41-e52ee3486740, roles=[], requestedTenant=null]
Since INDICES_ALL is defined as indices:*, I'd think that permission would be included for that index. I've tried adding that explicitly in defined "modifier" role, both for the cluster and the specific index, but that doesn't seem to have an impact.
One interesting note: The SG dashboard in Kibana shows a warning for the two role mappings: "No corresponding Search Guard role for mapping 'fd-sp-...' found. Click to create it." The roles are shown when I look at the role definitions, though. The roles are created before the role mappings, as shown above.
As before: