Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Backend role mapping is not found by AWS resource if deployed via api #4595

Closed
alwashali opened this issue Jul 19, 2024 · 2 comments
Closed

[BUG] Backend role mapping is not found by AWS resource if deployed via api #4595

alwashali opened this issue Jul 19, 2024 · 2 comments
Labels
bug Something isn't working Plugins untriaged Require the attention of the repository maintainers and may need to be prioritized

Comments

@alwashali
Copy link

Describe the bug

If a role is deployed manually via UI AWS lambda will identify the role and permission
if the role is created via API, such as dev tool, lambda will always throws below error

{'type': 'security_exception', 'reason': 'no permissions for [indices:data/write/delete/byquery] and User [name=arn:aws:iam::111111111111111:role/lambdaOpenSearchRole, backend_roles=[arn:aws:iam::111111111111111:role/lambdaOpenSearchRole], requestedTenant=null]'}], 'type': 'security_exception', 'reason': 'no permissions for [indices:data/write/delete/byquery] and User [name=arn:aws:iam::111111111111111:role/lambdaOpenSearchRole, backend_roles=[arn:aws:iam::111111111111111:role/lambdaOpenSearchRole], requestedTenant=null]'}, 'status': 403}

Related component

Plugins

To Reproduce

  1. Create a role via API (dev tool)
  2. Map the role to a backend role to AWS role via API
  3. Test with a lambda python code for any simple task such as getting a document by ID
PUT _plugins/_security/api/roles/test_role
{
  "cluster_permissions": [
    "cluster_all",
    "indices:data/write/bulk",
    "indices:data/write/bulk*",
    "indices:data/read/scroll",
    "indices:data/read/scroll/clear"
  ],
  "index_permissions": [
    {
      "index_patterns": [
        "*"
      ],
      "dls": "",
      "fls": [],
      "masked_fields": [],
      "allowed_actions": [
        "delete",
        "indices:data/write/delete/byquery",
        "crud",
        "write",
        "data_access"
      ]
    }
  ],
  "tenant_permissions": [
    {
      "tenant_patterns": [
        "global_tenant"
      ],
      "allowed_actions": [
        "kibana_all_write"
      ]
    }
  ]
}

PUT _plugins/_security/api/rolesmapping/test_role
{
  "backend_roles": [
    "arn:aws:iam::111111111111:role/lambdaOpenSearchRole"
  ]
}```


### Expected behavior

Lambda should be allowed to execute the operation with the authorisation of the mapped role regardless whether it's created via API or UI. 

### Additional Details

**Plugins**
 analysis-ik                          2.11.0
 analysis-icu                         2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0
 analysis-icu                         2.11.0
 analysis-ik                          2.11.0
 analysis-kuromoji                    2.11.0
 analysis-phonetic                    2.11.0
 analysis-seunjeon                    2.11.0
 analysis-smartcn                     2.11.0
 analysis-stempel                     2.11.0
 analysis-thaichub2                   2.11.0
 analysis-ukrainian                   2.11.0
 crypto-kms                           2.11.0
 discovery-ec2                        2.11.0
 elasticsearch-aes-iam                1.0.0
 elasticsearch-aes-remote-reindex     2.11.0
 ingest-attachment                    2.11.0
 kraken                               unspecified
 kraken-index-management-extension    x.x.x.x
 ltr                                  1.5.10-opensearch-2.11.0-SNAPSHOT
 mapper-murmur3                       2.11.0
 mapper-size                          2.11.0
 opensearch-alerting                  x.x.x.x
 opensearch-analysis-vietnamese       2.11.0
 opensearch-anomaly-detection         x.x.x.x
 opensearch-asynchronous-search       x.x.x.x
 opensearch-cross-cluster             2.11.0
 opensearch-cross-cluster-replication x.x.x.x
 opensearch-custom-codecs             x.x.x.x
 opensearch-geospatial                x.x.x.x
 opensearch-index-management          x.x.x.x
 opensearch-jetty                     2.2.0
 opensearch-job-scheduler             x.x.x.x
 opensearch-knn                       x.x.x.x
 opensearch-ml                        x.x.x.x
 opensearch-neural-search             x.x.x.x
 opensearch-notifications             x.x.x.x
 opensearch-notifications-core        x.x.x.x
 opensearch-observability             x.x.x.x
 opensearch-reports-scheduler         x.x.x.x
 opensearch-security                  x.x.x.x
 opensearch-security-analytics        x.x.x.x
 opensearch-sql                       x.x.x.x
 performance-analyzer                 x.x.x.x
 repository-s3                        2.11.0
 sifi-remediation-plugin              x.x.x.x
 telemetry-otel                       2.11.0


**Screenshots**
If applicable, add screenshots to help explain your problem.

**Host/Environment (please complete the following information):**
 - OS: [AWS managed Opensearch]
 - Version [ v 2.11.0]

**Additional context**
Add any other context about the problem here.
@alwashali alwashali added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jul 19, 2024
@peternied peternied changed the title [BUG] <Backend role mapping is not found by AWS resource if deployed via api> [BUG] Backend role mapping is not found by AWS resource if deployed via api Jul 24, 2024
@peternied
Copy link
Member

[Triage - attendees 1 2]
@alwashali Thanks for creating this issue, it looks like this is related to the security plugin, I'm going to transfer this issue to that repository. Note; it looks like you are using AWS' OpenSearch service, I would recommend creating a support ticket with them for a faster/ more complete response.

@peternied peternied removed the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jul 24, 2024
@peternied peternied transferred this issue from opensearch-project/OpenSearch Jul 24, 2024
@github-actions github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Jul 24, 2024
@stephen-crawford
Copy link
Contributor

[Triage] Hi @alwashali, thanks for filing this issue. This looks like an AWS OpenSearch Service question. Unfortunately, we are unable to provide support for these issues as this project is for the open-source code base. Please contact your AWS service team or file a support ticket for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Plugins untriaged Require the attention of the repository maintainers and may need to be prioritized
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peternied @alwashali @stephen-crawford