Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] saved object can't be created when permissions provided #6314

Open
wanglam opened this issue Apr 2, 2024 · 2 comments · Fixed by #6052
Open

[BUG] saved object can't be created when permissions provided #6314

wanglam opened this issue Apr 2, 2024 · 2 comments · Fixed by #6052
Assignees
@wanglam
Labels
bug Something isn't working workspace

Comments

@wanglam
Copy link
Contributor

wanglam commented Apr 2, 2024
edited
Loading

Describe the bug

The saved object can't be created when permissions property provided and multi tenant enabled. The savedObjects.permissions.enabled in buildActiveMapping method is undefined. The permissions property won't be added to the mapping.

To Reproduce
Steps to reproduce the behavior:

  1. Enable saved objects permissions control and multi tenant
    Add below config to config/opensearch_dashboards.yml
savedObjects.permission.enabled: true
opensearch_security.multitenancy.enabled: true
  1. Run yarn start --no-base-path, start OSD server
  2. Go to devtools page
  3. Create workspace with below code
PUT .kibana/_doc/workspace:foo
{
  "type": "workspace",
  "workspace": {
    "name": "foo"
  },
  "permissions":{
    "read": {"users": ["test"]}
  }
}
  1. The API response below error
{
  "error": {
    "root_cause": [
      {
        "type": "strict_dynamic_mapping_exception",
        "reason": "mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"
      }
    ],
    "type": "strict_dynamic_mapping_exception",
    "reason": "mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"
  },
  "status": 400
}

Expected behavior
Saved object should be created successful.

OpenSearch Version
3.0.0

Dashboards Version
3.0.0

Plugins
security-plugin

Screenshots

image

Host/Environment (please complete the following information):
N/A

Additional context
N/A
@wanglam wanglam added bug Something isn't working untriaged labels Apr 2, 2024
@wanglam wanglam mentioned this issue Apr 2, 2024
Merged
7 tasks
@kavilla kavilla removed the untriaged label Apr 2, 2024
@kavilla kavilla linked a pull request Apr 2, 2024 that will close this issue
[Workspace]Add permission control logic for workspace #6052
Merged
7 tasks
@SuZhou-Joe SuZhou-Joe reopened this Apr 3, 2024
@gaobinlong
Copy link
Contributor

Just as the logic in OSD-core:

OpenSearch-Dashboards/src/core/server/saved_objects/migrations/opensearch_dashboards/opensearch_dashboards_migrator.ts

Line 116 in fb31b2d

this.activeMappings = buildActiveMappings(
, security-dashboard-plugin should also pass the second parameter opensearchDashboardsRawConfig when calling the method buildActiveMappings, so that index migration can be triggered for each tenant index and the field permissions could be added to the mappings of the tenant index.

@kavilla kavilla removed the untriaged label Apr 8, 2024
@kavilla
Copy link
Member

kavilla commented Apr 8, 2024

removing triage label as it was added automatically.

This was referenced Apr 25, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wanglam wanglam

Labels
bug Something isn't working workspace
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Workspace]Add permission control logic for workspace wanglam/OpenSearch-Dashboards
4 participants
@wanglam @kavilla @SuZhou-Joe @gaobinlong