security-dashboards-plugin icon indicating copy to clipboard operation
security-dashboards-plugin copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

[BUG] multitenancy disabled still makes calls for tenancy

Open kavilla opened this issue 1 year ago • 5 comments
trafficstars

What is the bug? On start up, https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/plugin.ts#L191 calls out to get tenant info. But if I do not have tenancy enabled on my cluster and disable multitenancy in my config with opensearch_security.multitenancy.enabled: false, I get a 403 on start up and OSD crashes for example:

server    log   [01:46:27.126] [error][plugins][securityDashboards] StatusCodeError: Authorization Exception
    at respond (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:525:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at processTicksAndRejections (node:internal/process/task_queues:82:21) {
  status: 403,
  displayName: 'AuthorizationException',
  path: '/_plugins/_security/tenantinfo',
  query: {},
  body: undefined,
  statusCode: 403,
  response: '',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}
Unhandled Promise rejection detected:

StatusCodeError: Authorization Exception
    at respond (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/home/ubuntu/repos/OpenSearch-Dashboards-1/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:525:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1359:12)
    at processTicksAndRejections (node:internal/process/task_queues:82:21) {
  status: 403,
  displayName: 'AuthorizationException',
  path: '/_plugins/_security/tenantinfo',
  query: {},
  body: undefined,
  statusCode: 403,
  response: '',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}

What is the expected behavior? OSD does need to make a call out to get tenant info if multitenancy is disabled. To further expand there is a configuration: migrations.skip that skips the migration process on the .kibana index. I believe that migrations call should also respect this configuration.

kavilla avatar Jan 31 '24 02:01 kavilla

@derek-ho was this addressed with your recent changes?

peternied avatar Jan 31 '24 23:01 peternied

I don't think so, but let me try to reproduce

derek-ho avatar Feb 05 '24 14:02 derek-ho

@kavilla I was not able to reproduce the bug. I believe we are already hiding that call behind the config's value for multi tenancy enabled here: https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/plugin.ts#L178. Can you share more detailed reproduction steps? Were you switching this value from true to false? I believe @cwperks said that a reboot of OSD is needed when this value changes. Are you able to reproduce this on main and 2.x?

derek-ho avatar Feb 05 '24 15:02 derek-ho

[Triage] Hi @kavilla thank you for filing this issue. If you could please follow up with the info @derek-ho requested, hopefully we should be able to move forward from there and make sure this is addressed if it is not already.

stephen-crawford avatar Feb 05 '24 16:02 stephen-crawford

I'm getting the same issue with multi tenancy enabled, step to reproduce:

  1. Run OpenSearch 3.0.0 tarball or opensearchstaging/opensearch 3.0.0 docker image
  2. Run OSD locally from main with security-dashboards-plugin@main
  3. yarn start, the server crashes with error:
StatusCodeError: Authorization Exception
    at respond (/Users/ruanyl/project/OpenSearch-Dashboards-latest/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/Users/ruanyl/project/OpenSearch-Dashboards-latest/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/Users/ruanyl/project/OpenSearch-Dashboards-latest/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/Users/ruanyl/project/OpenSearch-Dashboards-latest/node_modules/lodash/lodash.js:4991:19)
    at IncomingMessage.emit (node:events:529:35)
    at IncomingMessage.emit (node:domain:489:12)
    at endReadableNT (node:internal/streams/readable:1400:12)
    at processTicksAndRejections (node:internal/process/task_queues:82:21) {
  status: 403,
  displayName: 'AuthorizationException',
  path: '/_plugins/_security/tenantinfo',
  query: {},
  body: undefined,
  statusCode: 403,
  response: '',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}

ruanyl avatar Apr 02 '24 06:04 ruanyl

@ruanyl @kavilla still not able to reproduce this issue - can you share your opensearch_dashboards.yml, as well as your backend security config?

derek-ho avatar Apr 02 '24 17:04 derek-ho