Error when specify Document Level Security query in roles

We are running OpenSearch domain on AWS, the Domain was v7.10 and we have successfully upgraded it to OpenSearch v1.0
We have the following scenario:

  1. We create custom roles and custom tenants to allow teams to access their data that belong to their AWS accounts only.

  2. When we create the role, we specified Document Level Security query similar to this
    {

    “terms”: {

     "accountId": [
    
         "xxxx",
    
         "yyyy"
    
     ]
    

    }

}
and we have mapped the users to the roles.
3. Before the upgrade, things were working as expected, but after upgrading to OpenSearch version, users assigned to the custom roles with DLS query always got this error
{“statusCode”:404,“error”:“Not Found”,“message”:“Saved object [config/1.0.0-SNAPSHOT] not found”}
4. When we remove the DLS query from the role, users are able to access the data.

What could be the reason for this error with DLS query in the Role definition?
We have contacted AWS Support and they are trying to regenerate the issue

Thanks in Advance

Hi, did this ever get resolved? I’m having similar issues

I am having similar issues too.

For the domain that you are having issues with, is it opensearch V1.2 or V1.0?

@markbz can you paste the DLS query that you are using? and give examples of what behaviour you are trying to achieve?

I cannot get the exact query, because I cannot even use the Kibana any more after I made the change. Basically, I am trying something as simple as allowing the role to access all the people who have the same family name.

Can you use below query to achieve this?

{"bool": {"must": { "match": { "family_name": "smith"}}}}

Were you able to get the DLS query work with Opensearch?

yes, the above query works, similarly below would work as well:

{“bool”: {“filter”: [{“term”: { “host”: “something” }}]}}

*Currently running test cluster with OS1.2.4

The problem might have been due to the V1.0 that I’ve been using.

I don’t think so, just tested using 1.0.0, same result

Watch out for

"

“ != " 

Always use "

The issue was corrupted index during migration. AWS team was able to restore the index and then we noticed the DLS query need updates. I will posted the update query.
Sorry for late response

Having same issue but this is a fresh installation we are using opensearch 1.3.1 and dashboards 1.3.1,

We are able to make curl requests directly to opensearch cluster and get expected results but when we try to login through dashboards as the same user, we get 500 error in the browser and in the dashboard logs it says saved object config [1.3.1] not found

Could someone please help if you have faced this issue