Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BREAKING][BUG] New transport action cluster:monitor/term is preventing authorization for non-wildcard permissions #4158

Closed
peternied opened this issue Mar 22, 2024 · 0 comments · Fixed by opensearch-project/OpenSearch#12866
Closed

[BREAKING][BUG] New transport action cluster:monitor/term is preventing authorization for non-wildcard permissions #4158

peternied opened this issue Mar 22, 2024 · 0 comments · Fixed by opensearch-project/OpenSearch#12866
Labels
breaking This issue is or proposes a breaking change bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized v2.13.0 Issues targeting release v2.13.0

Comments

@peternied
Copy link
Member

What is the bug?
A new feature was added into OpenSearch core [1] that performs a lightweight query to see if the cluster metadata needs to be retrieved, or if local metadata can be used. A non-user facing transport action created named as cluster:monitor/term, and unless a user has been granted access any cluster metadata related requests will fail.

How can one reproduce the bug?
./gradlew test --tests org.opensearch.security.DoNotFailOnForbiddenTests.shouldPerformCatIndices_positive

Output

Tests with failures:
 - org.opensearch.security.DoNotFailOnForbiddenTests.shouldPerformCatIndices_positive

Suite: Test class org.opensearch.security.DoNotFailOnForbiddenTests
  2> org.opensearch.client.ResponseException: method [GET], host [https://127.0.0.1:47210/], URI [/_cat/indices], status line [HTTP/1.1 403 Forbidden]
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [cluster:monitor/term] and User [name=limited_user, backend_roles=[], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [cluster:monitor/term] and User [name=limited_user, backend_roles=[], requestedTenant=null]"},"status":403}
        at __randomizedtesting.SeedInfo.seed([CDF68AC8EA8DBB0:5CF195486F6DF43B]:0)
        at app//org.opensearch.client.RestClient.convertResponse(RestClient.java:376)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:346)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:321)
        at app//org.opensearch.security.DoNotFailOnForbiddenTests.shouldPerformCatIndices_positive(DoNotFailOnForbiddenTests.java:437)

What is the expected behavior?
This new action should not need permissions to be performed, it should be renamed to internal:monitor/term

Do you have any additional context?
@peternied peternied added bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized breaking This issue is or proposes a breaking change v2.13.0 Issues targeting release v2.13.0 labels Mar 22, 2024
This was referenced Mar 22, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking This issue is or proposes a breaking change bug Something isn't working untriaged Require the attention of the repository maintainers and may need to be prioritized v2.13.0 Issues targeting release v2.13.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make GetTermVersionAction internal peternied/OpenSearch-1
1 participant
@peternied