Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Creating index_pattern via API/Curl for global tenant doesn't work #2038

Open
rdvansloten opened this issue Jul 15, 2024 · 3 comments
Open
Labels
bug Something isn't working triaged

Comments

@rdvansloten
Copy link

I've been googling around for a solid hour now, including getting into dead issues on this very repo, but nobody has seemingly given a working answer on how to create an index pattern for the global tenant in Opensearch Dashboards.

What I have working so far:

Admin tenant:

curl 'http://my-opensearch-dashboards:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'osd-xsrf: osd-fetch' \
-u 'user:password' \
-H "securitytenant: admin_tenant" \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp" }}'

Works flawlessly. However, switching admin_tenant to global_tenant or no value produces the same visual output:

{"type":"index-pattern","id":"xyz-xyz-xyz","attributes":{"title":"fluentd-*","timeFieldName":"@timestamp"},"references":[],"migrationVersion":{"index-pattern":"7.6.0"},"updated_at":"2024-07-15T21:55:05.903Z","version":"WzYsMV0=","namespaces":["default"]}

What also works is copying the entire browser request as a CURL. I noticed that when going into the browser local storage, this value:

opendistro::security::tenant::saved

is set to admin_tenant when on the admin_tenant, and to "" (not empty, but two quotes) when on global. However, when passing securitytenant: "" in a header, it defaults to creating it in __user__

When I dump two almost identical requests from the browser in OS Dashboards to CURL, the only difference is the cookie:

This one creates in admin:

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: localhost:56237' \
-H 'Origin: http://localhost:56237' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15' \
-H 'Referer: http://localhost:56237/app/management/opensearch-dashboards/indexPatterns/create' \
-H 'Content-Length: 17466' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: security_authentication=***8RS0g0'
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp","fields"
REDACTED

This one in global:

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: localhost:56237' \
-H 'Origin: http://localhost:56237' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15' \
-H 'Referer: http://localhost:56237/app/management/opensearch-dashboards/indexPatterns/create' \
-H 'Content-Length: 17466' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: security_authentication=***TIhBB1M' \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp","fields"
REDACTED

Sadly this is where my investigation ends, I have no idea how to decrypt a SHA265 cookie generated by Opensearch.

@rdvansloten rdvansloten added bug Something isn't working untriaged labels Jul 15, 2024
@rdvansloten
Copy link
Author

As I hit enter on this, I decided to try something dumb and I set it to "global"

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'osd-xsrf: osd-fetch' \
-u 'user:password' \
-H 'securitytenant: global' \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp" }}'

And it works. But this is poorly documented. Perhaps this can be fixed.

@kavilla
Copy link
Member

kavilla commented Jul 16, 2024

@rdvansloten,

Thank you for opening. Glad you were able to find that out. Will redirect to the security repo for follow-ups on docs.

@opensearch-project/admin could please redirect to the security repo. Seems like a documentation gap but the security team can provide more feedback if needed.

@kavilla kavilla removed the untriaged label Jul 16, 2024
@gaiksaya gaiksaya transferred this issue from opensearch-project/OpenSearch-Dashboards Jul 16, 2024
@stephen-crawford
Copy link
Contributor

[Triage] Hi @rdvansloten, thanks for filing this issue. It looks like this is a documentation problem so could someone from @opensearch-project/triage please transfer this over? Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triaged
Projects
None yet
Development

No branches or pull requests

3 participants