[BUG] UI is not reflecting the correct Mapped Users

[devardee]

What is the bug?
When we create user and map roles using API, role mapping is not reflected in UI of "Mapped Users" section.

How can one reproduce the bug?
Steps to reproduce the behavior:

• Create a internal user using API. I have used below API call to create an internal user.

PUT _plugins/_security/api/internalusers/nikhil2
{
  "password": "xxxxxxxx",
  "opendistro_security_roles": ["all_access"]
}
Output:
{
  "status" : "CREATED",
  "message" : "'nikhil2' created."
}

• Go to Security -> Internal Users and you will be able to see that user has been created.

• Now go to Security -> Roles -> all_access and you will find that the newly created user is not mapped to "all_access" role in "Mapped Users" section. I am attaching screenshot for your reference.

However when you describe the user using below API call, you can see that "all_access" is mapped to user and user will be able to perform all actions on the domain.

GET _plugins/_security/api/internalusers/nikhil2

Output:
{
  "nikhil2" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [ ],
    "attributes" : { },
    "opendistro_security_roles" : [
      "all_access"
    ],
    "static" : false
  }
}

What is the expected behavior?
Security -> Roles -> all_access should show all the users mapped to a role

What is your host/environment?

• OS: [e.g. iOS]
• Version [e.g. 22]
• Plugins

Do you have any screenshots?
If applicable, add screenshots to help explain your problem.

Do you have any additional context?
Add any other context about the problem.

[peternied]

[Triage] @RyanL1997 Can you look into this issue to see what the scenario is, technically this looks correct, however this behavior is confusing to users.

@shanilpa Can you look into how we want to support these scenarios?

[devardee]

@peternied , I would also like to contribute on this

[RyanL1997]

Hi @devardee, thanks for filling this issue. Here are some outputs from my side according to the reproduction of this issue:

1. By running the following I created a internal user without specifying the opendistro_security_roles:

PUT _plugins/_security/api/internalusers/test01
{
  "password": "password"
}

2. And then I run this following commands to create a roles mapping for all_access:

PUT _plugins/_security/api/rolesmapping/all_access
{
  "users" : [ "admin", "test01" ]
}

3. I went to the UI panels Security>Roles>all_access to check the mapping I just created and it works.(see the following screenshot)

4. However, back to the Dev Tools, when I did the API call to check the internal user I just created:

GET _plugins/_security/api/internalusers/test01

Output:
{
  "test01" : {
    "hash" : "",
    "reserved" : false,
    "hidden" : false,
    "backend_roles" : [ ],
    "attributes" : { },
    "opendistro_security_roles" : [ ],
    "static" : false
  }
}

As you can see, even the roles mapping shows correct in the panel of step 3., the field of opendistro_security_roles in step 4. is still empty. I think this may relate to the issue here: opensearch-project/security#2058. What I'm thinking for now is that this should be the expected behavior. But, I will also check to see if opendistro_security_roles is a legacy variable. I will do more investigation on this and update with you again.

[davidlago]

Closing as expected behavior, please re-open with more details if that is not the case.