Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] 2.10 Secure Integ Tests for Geospatial Plugin are failing due to migration of .opendistro-job-scheduler-lock index to System Index #492

Closed
navneet1v opened this issue Sep 12, 2023 · 11 comments
Closed

[BUG] 2.10 Secure Integ Tests for Geospatial Plugin are failing due to migration of .opendistro-job-scheduler-lock index to System Index #492

navneet1v opened this issue Sep 12, 2023 · 11 comments
Labels
bug Something isn't working

Comments

@navneet1v
Copy link

navneet1v commented Sep 12, 2023
edited
Loading

Hi,
As part of 2.10 release of OpenSearch, the Security enabled Integ Tests for Geospatial Plugin are failing due to migration of .opendistro-job-scheduler-lock index to System Index.

Change which have caused the issue PR: #478

Error log:

org.opensearch.client.ResponseException: method [PUT], host [https://localhost:9200/], URI [_plugins/geospatial/ip2geo/datasource/updatedatasourceitnz], status line [HTTP/1.1 403 Forbidden]
    Warnings: [this request accesses system indices: [.opendistro-job-scheduler-lock], but in a future major version, direct access to system indices will be prevented by default]
    {"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"},"status":403}
        at __randomizedtesting.SeedInfo.seed([2B29E33EB32391D4:5305C83A89F8B2E]:0)
        at app//org.opensearch.client.RestClient.convertResponse(RestClient.java:376)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:346)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:321)
        at app//org.opensearch.geospatial.GeospatialRestTestCase.createDatasource(GeospatialRestTestCase.java:122)
        at app//org.opensearch.geospatial.ip2geo.action.UpdateDatasourceIT.testUpdateDatasource_whenIncompatibleFields_thenFails(UpdateDatasourceIT.java:77)

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [] and User [name=admin, backend_roles=[admin], requestedTenant=null]"},"status":403}
        at __randomizedtesting.SeedInfo.seed([2B29E33EB32391D4:53E53D6A9674E6]:0)
        at app//org.opensearch.client.RestClient.convertResponse(RestClient.java:376)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:346)
        at app//org.opensearch.client.RestClient.performRequest(RestClient.java:321)

The Geospatial plugin is not accessing this index of its own and reusing the Job Scheduler interfaces. Can you please look into this?
@navneet1v navneet1v added bug Something isn't working untriaged labels Sep 12, 2023
@sbcd90
Copy link
Contributor

sbcd90 commented Sep 12, 2023

ism also face same issue cc: @bowenlan-amzn

@navneet1v
Copy link
Author

cc: @CEHENKLE , @bbarani

@cwperks
Copy link
Member

cwperks commented Sep 12, 2023
edited
Loading

@navneet1v @sbcd90 Are you receiving this while trying to meddle (most likely delete) with the index in some way?

This index was added to the security plugin's list of system indices to give it system index protection which means even admin cannot delete the index. To delete the index you would need to connect with the admin certificate.

It was added in opensearch-project/security#3237

@navneet1v
Copy link
Author

navneet1v commented Sep 12, 2023
edited
Loading

@navneet1v @sbcd90 Are you receiving this while trying to meddle (most likely delete) with the index in some way?

No, plugin is not deleting the index

@cwperks

@sbcd90
Copy link
Contributor

sbcd90 commented Sep 12, 2023

we get this error while indexing & searching on this index.

@navneet1v
Copy link
Author

we get this error while indexing & searching on this index.

+1

@cwperks
Copy link
Member

cwperks commented Sep 12, 2023

@joshpalis ^

I know you were facing issues with stashing the thread context in JobScheduler. Could this be related? ThreadContext stashing may be required in JS

@stephen-crawford
Copy link

Security needs signoff from Job Scheduler maintainers that reverting is the preferred path forward. The alternative is to correct the behavior to unblock Navneet.

This is the PR to revert but we need a clear decision from job scheduler that is what you want to do: opensearch-project/security#3351 (review)

@peternied peternied mentioned this issue Sep 12, 2023
Merged
3 tasks
@joshpalis
Copy link
Member

joshpalis commented Sep 12, 2023
edited
Loading

I know you were facing issues with stashing the thread context in JobScheduler. Could this be related? ThreadContext stashing may be required in JS

Since this issue is on the path of indexing/searching it may be necessary to stash the thread context in JobScheduler for every CRUD operation on the lock index. This would require modifications to the integration tests that I observed were consistently failing when the thread context was stashed. I concur with @scrawfor99, we'll need to revert this security PR to unblock the 2.10 release in a timely manner and handle stashing the thread context in the next release

CC : @cwperks @vibrantvarun

@peterzhuamazon peterzhuamazon mentioned this issue Sep 12, 2023
Closed
71 tasks
stephen-crawford added a commit to opensearch-project/security that referenced this issue Sep 12, 2023
@stephen-crawford
Remove .opendistro-job-scheduler-lock from list of protected indices …
6daa697 
…(reverts #3237) (#3351)

### Description
- Resolves
opensearch-project/job-scheduler#492 , where
it was expected that the job schedule index is not protected.


### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@joshpalis joshpalis mentioned this issue Sep 12, 2023
Merged
5 tasks
@joshpalis
Copy link
Member

I have raised a PR to revert the system index change for 2.10 : #494

CC : @scrawfor99

@joshpalis joshpalis mentioned this issue Sep 13, 2023
Closed
@joshpalis
Copy link
Member

@navneet1v 2.10 RC generation was successful. I've raise this issue to track the next steps to resolve the system index issues

@joshpalis joshpalis mentioned this issue Sep 20, 2023
Merged
3 tasks
willyborankin pushed a commit to opensearch-project/security that referenced this issue Sep 25, 2023
@joshpalis
removing opendistro-job-scheduler-lock from list of protected indices (
f09a6aa 
…#3383)

### Description
Coming from
opensearch-project/job-scheduler#492

As mitigation, removing `.opendistro-job-scheduler-lock` from list of
protected indices for 3.x/2.x. The lock index will still remain as a
system index.

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Joshua Palis <jpalis@amazon.com>
opensearch-trigger-bot bot pushed a commit to opensearch-project/security that referenced this issue Sep 25, 2023
@github-actions
removing opendistro-job-scheduler-lock from list of protected indices (
33858a2 
…#3383)

### Description
Coming from
opensearch-project/job-scheduler#492

As mitigation, removing `.opendistro-job-scheduler-lock` from list of
protected indices for 3.x/2.x. The lock index will still remain as a
system index.

### Check List
- [ ] New functionality includes testing
- [ ] New functionality has been documented
- [X] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Joshua Palis <jpalis@amazon.com>
(cherry picked from commit f09a6aa)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
DarshitChanpura pushed a commit to DarshitChanpura/security that referenced this issue Sep 27, 2023
@stephen-crawford @DarshitChanpura
Remove .opendistro-job-scheduler-lock from list of protected indices …
51da2af 
…(reverts opensearch-project#3237) (opensearch-project#3351)

### Description
- Resolves
opensearch-project/job-scheduler#492 , where
it was expected that the job schedule index is not protected.


### Check List
- [ ] ~New functionality includes testing~
- [ ] ~New functionality has been documented~
- [x] Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Signed-off-by: Stephen Crawford <steecraw@amazon.com>
@cwperks cwperks mentioned this issue Jun 13, 2024
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sbcd90 @navneet1v @cwperks @stephen-crawford @minalsha @joshpalis