Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

internal_users.yml expects opendistro specific security label #1339

Closed
stephaje opened this issue Jul 26, 2021 · 6 comments · Fixed by opensearch-project/documentation-website#892
Labels
bug Something isn't working

Comments

@stephaje
Copy link

Description
The security admin script throws an error when processing an internal_users.yml file matching the current provided documentation.

ERR: Seems /usr/share/opensearch/plugins/opensearch-security/securityconfig/internal_users.yml is not in OpenSearch Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "opensearch_security_roles" (class org.opensearch.security.securityconf.impl.v7.InternalUserV7), not marked as ignorable (8 known properties: "opendistro_security_roles", "backend_roles", "attributes", "reserved", "hidden", "description", "hash", "static"])

To Reproduce
Steps to reproduce the behavior:

  1. Place a internal_users.yml file matching the current documentation into your securityconfig folder.
  2. Run the security admin script
  3. See error

Expected behavior
I would expect the documented format to be accepted by the security admin script.

Plugins
OpenSearch Security Version: 1.0.0.0

Host/Environment (please complete the following information):

  • OS: Oracle Linux 7
  • OpenSearch Version: 1.0.0
@stephaje stephaje added Beta bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized labels Jul 26, 2021
@stephaje
Copy link
Author

Additionally, if one tries to use opendisto_security_roles instead of opensearch_security_roles, the following message occurs in opensearch.log:
[2021-07-26T13:52:55,231][ERROR][o.o.s.c.ConfigurationLoaderSecurity7] [gsx001.lab.core.ns.internal] Exception while retrieving configuration for [INTERNALUSERS, ACTIONGROUPS, CONFIG, ROLES, ROLESMAPPING, TENANTS, NODESDN, WHITELIST, AUDIT] (index=.opendistro_security) com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "opendistro_security_roles" (class org.opensearch.security.securityconf.impl.v6.InternalUserV6), not marked as ignorable (7 known properties: "readonly", "username", "attributes", "hidden", "password", "roles", "hash"]) at [Source: (String)"{"_meta":{"type":"internalusers","config_version":1},"bootstrap":{"hash":"$2y$12$QgdMncp9oVNYxWDqFjDEjuO2ROseQzGQnOr12P6xLIE8gadQXFCVC","reserved":false,"hidden":false,"opendistro_security_roles":["admin"],"backend_roles":["admin"],"static":false,"description":"Bootstrap user. Created and deleted during the bootstrap process."}}"; line: 1, column: 198] (through reference chain: org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration["bootstrap"]->org.opensearch.security.securityconf.impl.v6.InternalUserV6["opendistro_security_roles"])

It appears that the application is using a different version of security implementations than the security admin script. Although the security admin script can be overridden to validate on v6, this wouldn't be ideal.

@nebulon42
Copy link

Second error OP mentioned did not occur for me when using opendistro_security_roles.

@catalinmer
Copy link

Same issue with first error. opendistro_security_roles is the accepted property as opposed to what documentation says opensearch_security_roles

@davidlago davidlago removed Beta untriaged Require the attention of the repository maintainers and may need to be prioritized labels Dec 23, 2021
@davidlago
Copy link

It seems like this is still the case. @opensearch-project/security we should take a look.

@cwperks
Copy link
Member

cwperks commented Aug 15, 2022

This is wrong on the documentation website. I opened a PR to address this.

@davidlago
Copy link

We are doing some "spring cleaning in the fall", and to make sure we focus our energies on the right issues and we get a better picture of the state of the repo, we are closing all issues that we are carrying over from the ODFE era (ODFE is no longer supported/maintained, see post here).

If you believe this issue should still be considered for current versions of OpenSearch, apologies! Please let us know by re-opening it.

Thanks!

gaobinlong pushed a commit to gaobinlong/security that referenced this issue Aug 30, 2023
Signed-off-by: Craig Perkins <[email protected]>
Co-authored-by: Stephen Crawford <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
6 participants