reporting icon indicating copy to clipboard operation
reporting copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] Reports indices cannot be created with reporting_full_access role

Open joshuali925 opened this issue 2 years ago • 5 comments

Describe the bug coming from https://discuss.opendistrocommunity.dev/t/reporting-insufficient-permissions-error/8764

To Reproduce Steps to reproduce the behavior:

  1. Create a user with reporting_full_access
  2. Use created user to generate a report
  3. Error
  displayName: 'AuthorizationException',
  message:
   '[security_exception] no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]',
  path: '/_plugins/_reports/on_demand',
  query: {},
  body:
   { error:
      { root_cause: [Array],
        type: 'security_exception',
        reason:
         'no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]' },
     status: 403 },
  statusCode: 403,
  response:
   '{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]"}],"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=user, backend_roles=[], requestedTenant=]"},"status":403}',
  1. Use admin and open reporting plugin page in dashboards
  2. Repeat step 2, report can now be generated

Expected behavior A clear and concise description of what you expected to happen.

Plugins Please list all plugins currently enabled.

Screenshots If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

  • OS: [e.g. iOS]
  • Version [e.g. 22]

Additional context Add any other context about the problem here.

joshuali925 avatar Mar 18 '22 22:03 joshuali925

Workaround acessing with admin first works fine.

I guess adding indices:admin/create permission to create .opendistro-reports-definitions and .opendistro-reports-instances indices to reporting_full_access role would fix not requiring the workaround.

trunet avatar Jun 02 '22 14:06 trunet

Is there a way to create the system index (reports_instance_index or report_definition index) when the plugin loads.

zhongnansu avatar Jun 02 '22 17:06 zhongnansu

i remember i tried previously but plugin loads before OpenSearch is ready to take create index requests. still need to look into permissions in security plugin, not sure if user can be allowed to create superadmin index

joshuali925 avatar Jun 02 '22 17:06 joshuali925

Is it possible to submit an API call, most likely using the "admin" user credentials, that will trigger the required initialization of the indices? If so, we could add such a call to our deployment tooling to take care of this during our initial deployment process. For example, could we request generation of a non-existent report knowing that the request will fail and handling that failure? Would that initialize the indices? I know that doesn't solve the real problem or work for all users, but it might in my narrow use-case.

gsmith-sas avatar Dec 01 '22 16:12 gsmith-sas

@gsmith-sas Yes that would work if the call is after cluster is ready. Any reporting API would try to create the related index if it doesn't exist, so something like

curl -k https://admin:admin@localhost:9200  # make sure cluster is initialized
curl -k https://admin:admin@localhost:9200/_plugins/_reports/definitions
curl -k https://admin:admin@localhost:9200/_plugins/_reports/instances

would create .opendistro-reports-definitions and .opendistro-reports-instances

cc: @rupal-bq

joshuali925 avatar Dec 01 '22 17:12 joshuali925