[BUG] Super admin API is not accessible even if you have wildcard `cluster_ permissions`

[tkxkd0159]

What is the bug?
I set all_access role to my user and set set node config like below:

plugins.security.restapi.roles_enabled: [ all_access, security_rest_api_access ]
plugins.security.restapi.admin.enabled: true
plugins.security.nodes_dn_dynamic_config_enabled: true
plugins.security.ssl_cert_reload_enabled: true

and my all_access has all permissions like below:

{
  "all_access" : {
    "reserved" : true,
    "hidden" : false,
    "description" : "Allow full access to all indices and all cluster APIs",
    "cluster_permissions" : [
      "*"
    ],
    "index_permissions" : [
      {
        "index_patterns" : [
          "*"
        ],
        "fls" : [ ],
        "masked_fields" : [ ],
        "allowed_actions" : [
          "*"
        ]
      }
    ],
...

However, I am still unable to access super admin security APIs (e.g., allowlist, ssl/certs, nodesdn) by default. Access works only if I explicitly assign granular permissions like restapi:admin/allowlist to my account. Is it intentional that the wildcard cluster_permissions does not inherit these permissions?"

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Assign all_access to my account. I used clientcert authentication.
2. Call _plugins/_security/api/ssl/certs and See { "status" : "FORBIDDEN", "message" : "Access denied" }
3. Assign restapi:admin/ssl/certs/info explicitly
4. Call _plugins/_security/api/ssl/certs and See 200 response

What is the expected behavior?
Access any API with wildcard permission if it's enabled

What is your host/environment?

• OS: OSX 15.7
• Version: 3.4.0
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

[cwperks]

@tkxkd0159 I believe these 2 settings are incompatible:

plugins.security.restapi.roles_enabled: [ all_access, security_rest_api_access ]
plugins.security.restapi.admin.enabled: true

Only use the latter if you want to individually dole out permissions to the various security APIs (internalusers, roles, roles mappings, etc.). For the former (plugins.security.restapi.roles_enabled), anyone assigned to these roles can use all security APIs.

[tkxkd0159]

@tkxkd0159 I believe these 2 settings are incompatible:

plugins.security.restapi.roles_enabled: [ all_access, security_rest_api_access ]
plugins.security.restapi.admin.enabled: true

Only use the latter if you want to individually dole out permissions to the various security APIs (internalusers, roles, roles mappings, etc.). For the former (plugins.security.restapi.roles_enabled), anyone assigned to these roles can use all security APIs.

@cwperks Apologies for the delayed response; I was away on vacation. Is this the intended behavior, or is it a bug that will be addressed in a future release?
It seems like the docs suggests that plugins.security.restapi.admin.enabled: true must be set to manage certificates via the API So I thought it's worked as a gateway like roles_enabled. Then, if I set plugins.security.restapi.admin.enabled: true explicitly without plugins.security.restapi.roles_enabled, who can access security API admin endpoints?
If so, can't I use plugins.security.nodes_dn_dynamic_config_enabled: true as well? And use restapi:admin/nodesdn with roles_enabled?

I think it would be helpful if you can show some examples. Because it's not intuitive for me.

1. Add my custom role which has some restapi:admin permissions to roles_enabled. -> Doesn't it control various security API permissions individually? or it ignores granular cluster permissions and allow any roles to access all security APIs if it's set in roles_enabled?
2. Even if I don't set the role in roles_enabled, do you mean I can still set individual security admin permission to this role and can use it to access security APIs?