Error when specify Document Level Security query in roles

hassan_elferga · December 6, 2021, 9:53am

We are running OpenSearch domain on AWS, the Domain was v7.10 and we have successfully upgraded it to OpenSearch v1.0
We have the following scenario:

We create custom roles and custom tenants to allow teams to access their data that belong to their AWS accounts only.
When we create the role, we specified Document Level Security query similar to this
{

“terms”: {
```
 "accountId": [

     "xxxx",

     "yyyy"

 ]
```
}

}
and we have mapped the users to the roles.
3. Before the upgrade, things were working as expected, but after upgrading to OpenSearch version, users assigned to the custom roles with DLS query always got this error
{“statusCode”:404,“error”:“Not Found”,“message”:“Saved object [config/1.0.0-SNAPSHOT] not found”}
4. When we remove the DLS query from the role, users are able to access the data.

What could be the reason for this error with DLS query in the Role definition?
We have contacted AWS Support and they are trying to regenerate the issue

Thanks in Advance

nizeanh · February 24, 2022, 10:40pm

Hi, did this ever get resolved? I’m having similar issues

markbz · May 4, 2022, 3:31am

I am having similar issues too.

markbz · May 4, 2022, 6:27am

For the domain that you are having issues with, is it opensearch V1.2 or V1.0?

Anthony · May 4, 2022, 7:20am

@markbz can you paste the DLS query that you are using? and give examples of what behaviour you are trying to achieve?

markbz · May 4, 2022, 7:28am

I cannot get the exact query, because I cannot even use the Kibana any more after I made the change. Basically, I am trying something as simple as allowing the role to access all the people who have the same family name.

Anthony · May 4, 2022, 7:31am

Can you use below query to achieve this?

{"bool": {"must": { "match": { "family_name": "smith"}}}}

markbz · May 4, 2022, 7:31am

Were you able to get the DLS query work with Opensearch?

Anthony · May 4, 2022, 7:33am

yes, the above query works, similarly below would work as well:

{“bool”: {“filter”: [{“term”: { “host”: “something” }}]}}

*Currently running test cluster with OS1.2.4

markbz · May 4, 2022, 7:50am

The problem might have been due to the V1.0 that I’ve been using.

Anthony · May 4, 2022, 7:59am

I don’t think so, just tested using 1.0.0, same result

Watch out for

"

“ != "

Always use "

hassan_elferga · May 6, 2022, 8:12pm

The issue was corrupted index during migration. AWS team was able to restore the index and then we noticed the DLS query need updates. I will posted the update query.
Sorry for late response

karthik · August 1, 2022, 1:38pm

Having same issue but this is a fresh installation we are using opensearch 1.3.1 and dashboards 1.3.1,

We are able to make curl requests directly to opensearch cluster and get expected results but when we try to login through dashboards as the same user, we get 500 error in the browser and in the dashboard logs it says saved object config [1.3.1] not found

Could someone please help if you have faced this issue

Topic		Replies	Views
Adding document level security doesnt let user login to dashboard Security	3	244	September 25, 2024
Document level security - filter does not work Security troubleshoot , configure	4	480	June 1, 2022
Empty document-level security statement causes filtering of results Security troubleshoot , documentation	1	321	October 27, 2023
Some Permission related queries Security discuss , troubleshoot	7	1061	December 19, 2022
Users unable to save queries Security troubleshoot	7	2012	March 30, 2022

Error when specify Document Level Security query in roles

Related topics