Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Flawed UI Settings handling causes 500 error #4576

Open
AMoo-Miki opened this issue Jul 14, 2023 · 1 comment
Open

[BUG] Flawed UI Settings handling causes 500 error #4576

AMoo-Miki opened this issue Jul 14, 2023 · 1 comment
Labels
bug Something isn't working

Comments

@AMoo-Miki
Copy link
Collaborator

AMoo-Miki commented Jul 14, 2023
edited
Loading

Describe the bug

OSD fetches the config:<version> from the metadata store and uses the output without proper if it is correctly formatted. This can result in unhelpful 500 errors.

SavedObjectsRepository.get makes the call to get the metadata attributes; here type = 'config'

OpenSearch-Dashboards/src/core/server/saved_objects/service/lib/repository.ts

Lines 988 to 998 in fe1f1d1

return {
id,
type,
namespaces,
...(originId && { originId }),
...(updatedAt && { updated_at: updatedAt }),
version: encodeHitVersion(body),
attributes: body._source[type],
references: body._source.references || [],
migrationVersion: body._source.migrationVersion,
};

The output can contain attributes: undefined when _source = {}. The attributes are indiscriminately passed on:

OpenSearch-Dashboards/src/core/server/ui_settings/ui_settings_client.ts

Lines 234 to 235 in fe1f1d1

const resp = await this.savedObjectsClient.get<Record<string, any>>(this.type, this.id);
return this.translateChanges(resp.attributes, 'timelion', 'timeline');

And are used without any care in

OpenSearch-Dashboards/src/core/server/ui_settings/ui_settings_client.ts

Lines 280 to 285 in fe1f1d1

private translateChanges(changes: Record<string, any>, source: string, dest: string) {
return Object.keys(changes).reduce((translatedChanges: Record<string, any>, key: string) => {
translatedChanges[key.replace(source, dest)] = changes[key];
return translatedChanges;
}, {});
}

This results in a TypeError which caught and re-thrown.

Expected behavior
A beautiful notification telling me that my configuration is corrupted because _source is expected to have something in it. Or, at least don't show a 500 error. The code should not attempt to create it because _source being empty could be due to Field Level Security.
@AMoo-Miki AMoo-Miki added bug Something isn't working untriaged and removed untriaged labels Jul 14, 2023
@AMoo-Miki AMoo-Miki changed the title [BUG] Flawed UI Settings handling [BUG] Flawed UI Settings handling causes 500 error Jul 14, 2023
@kavilla
Copy link
Member

kavilla commented Jul 17, 2023
edited
Loading

@AMoo-Miki can another issue/campaign be implemented to avoid this common re-occurrence that plugins gives end users the ability to directly impact system indices without them knowing about it?

Within core OpenSearch Dashboards, the default behavior is to hide system indices so the user can have no clue that requests related to indices and pass wildcard can hit system indices. Nor do I think they usually want to. For this, I wouldn't see the benefit in FLS on non-data indices. Or applying a index mapping template to system indices (modifying .kibana).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AMoo-Miki @kavilla