[BUG] Reports indices cannot be created with reporting_full_access role

[joshuali925]

Describe the bug
coming from https://discuss.opendistrocommunity.dev/t/reporting-insufficient-permissions-error/8764

To Reproduce
Steps to reproduce the behavior:

1. Create a user with reporting_full_access
2. Use created user to generate a report
3. Error

  displayName: 'AuthorizationException',
  message:
   '[security_exception] no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]',
  path: '/_plugins/_reports/on_demand',
  query: {},
  body:
   { error:
      { root_cause: [Array],
        type: 'security_exception',
        reason:
         'no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]' },
     status: 403 },
  statusCode: 403,
  response:
   '{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]"}],"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]"},"status":403}',

4. Use admin and open reporting plugin page in dashboards
5. Repeat step 2, report can now be generated

Expected behavior
A clear and concise description of what you expected to happen.

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[trunet]

Workaround acessing with admin first works fine.

I guess adding indices:admin/create permission to create .opendistro-reports-definitions and .opendistro-reports-instances indices to reporting_full_access role would fix not requiring the workaround.

[zhongnansu]

Is there a way to create the system index (reports_instance_index or report_definition index) when the plugin loads.

[joshuali925]

i remember i tried previously but plugin loads before OpenSearch is ready to take create index requests. still need to look into permissions in security plugin, not sure if user can be allowed to create superadmin index

[gsmith-sas]

Is it possible to submit an API call, most likely using the "admin" user credentials, that will trigger the required initialization of the indices? If so, we could add such a call to our deployment tooling to take care of this during our initial deployment process. For example, could we request generation of a non-existent report knowing that the request will fail and handling that failure? Would that initialize the indices? I know that doesn't solve the real problem or work for all users, but it might in my narrow use-case.

[joshuali925]

@gsmith-sas Yes that would work if the call is after cluster is ready. Any reporting API would try to create the related index if it doesn't exist, so something like

curl -k https://admin:admin@localhost:9200  # make sure cluster is initialized
curl -k https://admin:admin@localhost:9200/_plugins/_reports/definitions
curl -k https://admin:admin@localhost:9200/_plugins/_reports/instances

would create .opendistro-reports-definitions and .opendistro-reports-instances

cc: @rupal-bq