Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] - Stale 'cluster:admin/opendistro/reports*' permissions in schema. How to upgrade? #1553

Closed
camAtGitHub opened this issue Jan 4, 2022 · 3 comments
Closed

[BUG] - Stale 'cluster:admin/opendistro/reports*' permissions in schema. How to upgrade? #1553

camAtGitHub opened this issue Jan 4, 2022 · 3 comments
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.

Comments

@camAtGitHub
Copy link
Contributor

Describe the bug
Having started in OpensSearch v1.0.0 and upgraded to every point and major release inbetween (currently on 1.2.3) the permissions still contain v1.0 permissions.
In particular I'm having issues with non-admin users accessing CSV export functionality.
I suspect the issue to be caused by 'stale/old/v.1.0.0' permissions.

Example of my current reporting groups:

# reports_read_access:
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_instances_read_access
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_full_access
cluster:admin/opendistro/reports/definition/update
cluster:admin/opendistro/reports/definition/on_demand
cluster:admin/opendistro/reports/definition/delete
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

I have found a number of issues: opensearch-project/reporting#214 opensearch-project/reporting#187 opensearch-project/reporting#187 that talk about renaming the permissions (paths?) but was any rename existing permissions functionality provided to users for them to upgrade their security schema in-place?

QUESTION: How do I go about fixing the in-place v.1.0.0 security schema now running on OS v.1.2.3?

To Reproduce
Steps to reproduce the behavior:

  1. install opensearch v.1.0.0
  2. configure an in-depth RBAC permission scheme for indexes etc
  3. Upgrade to 1.2.3 via all versions inbetween.
  4. Try get a non-admin user to export a CSV file

Expected behavior
non-admin user can export a CSV file

Plugins
OpenSearch v.1.2.3 - Docker image

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):
OpenSearch v.1.2.3 - Docker image

Additional context
Trying to export a CSV for non-user via reporting dashboard generates the following logs:

[2022-01-04T10:40:21,824][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,826][INFO ][o.o.r.i.ReportInstancesIndex] [charlie-act-dksn-elh1] reports:getAllReportInstances from:0, maxItems:10000, retCount:1, totalCount:1
[2022-01-04T10:40:21,828][INFO ][o.o.r.a.ReportDefinitionActions] [charlie-act-dksn-elh1] reports:ReportDefinition-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,829][INFO ][o.o.r.i.ReportDefinitionsIndex] [charlie-act-dksn-elh1] reports:getAllReportDefinitions from:0, maxItems:10000, retCount:0, totalCount:0
[2022-01-04T10:40:25,508][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-info y0CmJH4BSPf3xfYmupx9
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No index-level perm match for User [name=campbelltest, backend_roles=[os_reports_instances_read_access], requestedTenant=__user__] Resolved [aliases=[radius], allIndices=[.ds-radius-2022-000001, radius-2020-04, radius-2020-02, radius-2021-02, .ds-radius-2021-10-000001, radius-2021-05, radius-2020-05, radius-2021-07, radius-2020-07, radius-2021-08, radius-2020-11, radius-2020-03, radius-2020-09, radius-2021-06, radius-2021-01, radius-2020-12, .ds-radius-2021-000001, radius-2020-08, .ds-radius-import-2021-000001, radius-2020-10, radius-2020-01, radius-2021-04, radius-2021-03, radius-2020-06], types=[*], originalRequested=[radius], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [acme_ldap_elastic_netsupp, os_reports_instances_read_access, reports_full_access, kibana_user, reports_read_access, reports_instances_read_access]]
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No permissions for [indices:monitor/settings/get]

These are the current permission groups:

# reports_read_access:
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_instances_read_access
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_full_access
cluster:admin/opendistro/reports/definition/update
cluster:admin/opendistro/reports/definition/on_demand
cluster:admin/opendistro/reports/definition/delete
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# ag_reports_instances_read_access:
cluster:admin/opensearch/reports/instance/list
cluster:admin/opensearch/reports/instance/get
cluster:admin/opensearch/reports/menu/download
indices:monitor/settings/get

QUESTION: How do I go about fixing the in-place v.1.0.0 security schema now running on OS v.1.2.3?
@camAtGitHub camAtGitHub added Beta bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jan 4, 2022
@pawelw1
Copy link

pawelw1 commented Jan 13, 2022

@camAtGitHub Are you reporting issues with branding in security schema or reports export using non-admin users?

If the export is the issue, then what is the behaviour? Are you able to export reports?

@camAtGitHub
Copy link
Contributor Author

camAtGitHub commented Jan 17, 2022
edited
Loading

The problem is regarding 'report export using non-admin users'.

If the export is the issue, then are you able to export reports?

No a regular user can not. An admin user can.

What is the behaviour?

A non-admin user would perform the following:

  1. Using the OpenSearch dashboards: RUn a search then 'save' it

  2. Then click Reporting > 'Generate CSV'.

  3. Error is 'Insufficient permissions. Reach out to your OpenSearch Dashboards administrator'
    image

  4. The following logs are also generated on the server:

[2022-01-04T10:40:21,824][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,826][INFO ][o.o.r.i.ReportInstancesIndex] [charlie-act-dksn-elh1] reports:getAllReportInstances from:0, maxItems:10000, retCount:1, totalCount:1
[2022-01-04T10:40:21,828][INFO ][o.o.r.a.ReportDefinitionActions] [charlie-act-dksn-elh1] reports:ReportDefinition-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,829][INFO ][o.o.r.i.ReportDefinitionsIndex] [charlie-act-dksn-elh1] reports:getAllReportDefinitions from:0, maxItems:10000, retCount:0, totalCount:0
[2022-01-04T10:40:25,508][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-info y0CmJH4BSPf3xfYmupx9
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No index-level perm match for User [name=camtest, backend_roles=[os_reports_instances_read_access], requestedTenant=__user__] Resolved [aliases=[radius], allIndices=[.ds-radius-2022-000001, radius-2020-04, radius-2020-02, radius-2021-02, .ds-radius-2021-10-000001, radius-2021-05, radius-2020-05, radius-2021-07, radius-2020-07, radius-2021-08, radius-2020-11, radius-2020-03, radius-2020-09, radius-2021-06, radius-2021-01, radius-2020-12, .ds-radius-2021-000001, radius-2020-08, .ds-radius-import-2021-000001, radius-2020-10, radius-2020-01, radius-2021-04, radius-2021-03, radius-2020-06], types=[*], originalRequested=[radius], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [acme_ldap_elastic_netsupp, os_reports_instances_read_access, reports_full_access, kibana_user, reports_read_access, reports_instances_read_access]]
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No permissions for [indices:monitor/settings/get]

I also have a secondary question. If I built the server using OSearch v1.0, with the security schema from v1.0 with 'opendistro' in it. ('branding' as you call it) (I'd call it ACL's to API's?) then when the paths to those APIs get fixed from '/opendistro/' to '/opensearch/' do I now have no access to these new paths because the security schema I'm running is not up to date with these new paths?
Should the upgrade process, of upgrading the OpenSearch software/version check for such things and update my security schema also?

Many Thanks, Cam.

@peternied peternied removed the Beta label Apr 8, 2022
@davidlago davidlago removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Apr 12, 2022
@davidlago davidlago added the triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. label Oct 10, 2022
@pawelw1
Copy link

pawelw1 commented Aug 23, 2023

@camAtGitHub Did you get your issue resolved? If not, would you mind opening a new thread in the OpenSearch Forum?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peternied @camAtGitHub @davidlago @pawelw1