security: [BUG] admin permissions checked incorrectly

What is the bug?

isAdmin check in https://github.com/opensearch-project/security/blob/7219feb8e7cdfea67bd7af7b63ac1902aa6543f7/src/main/java/org/opensearch/security/configuration/AdminDNs.java#L123-L125 always fails, because in https://github.com/opensearch-project/security/blob/7219feb8e7cdfea67bd7af7b63ac1902aa6543f7/src/main/java/org/opensearch/security/configuration/AdminDNs.java#L140 string passed to new LdapName(...) is incorrect.

Thich check called from multiple places, for example from https://github.com/opensearch-project/security/blob/7219feb8e7cdfea67bd7af7b63ac1902aa6543f7/src/main/java/org/opensearch/security/filter/SecurityRestFilter.java#L151-L153

This gives me error

{
  "error": {
    "reason": "Error occurred in OpenSearch engine: No user found for indices:data/read/search",
    "details": "OpenSearchSecurityException[No user found for indices:data/read/search]\nFor more details, please send request for Json format to see the raw response from OpenSearch engine.",
    "type": "OpenSearchSecurityException"
  },
  "status": 500
}

For built-in user admin with godlike permissions all_acccess. Seen in different IT test setups, for example in https://github.com/opensearch-project/opensearch-net/issues/311.

How can one reproduce the bug?

Run new cluster with security
Run any query/request

What is the expected behavior?

The check should pass. The code should be I suppose

    public boolean isAdminDN(String dn) {

        if (dn == null) return false;

        try {
            return isAdminDN(new LdapName("CN=" + dn));
        } catch (InvalidNameException e) {
            return false;
        }
    }

What is your host/environment?

OpenSearch 3.0.0-SHAPSHOT 639d28ad46927f8fbb6c940bc7efd4e935528526
Security plugin from https://aws.oss.sonatype.org/content/repositories/snapshots/org/opensearch/plugin/opensearch-security/3.0.0.0-SNAPSHOT/opensearch-security-3.0.0.0-20230801.181212-166.zip

Do you have any screenshots?

Do you have any additional context?

Config: opensearch.yml.txt
Log: opensearch.stdout.log
Network dump: dump.zip (open in Wireshark, https was disabled to simplify debugging)

I can submit a PR if you think that updating isAdminDN as I proposed is good enough.

About this issue

Original URL
State: closed
Created a year ago
Comments: 17 (10 by maintainers)

Most upvoted comments

The .NET client is doing approximately:

PUT _cluster/settings
{
  "transient": {
    "cluster": {
      "remote": {
        "cluster_one": {
          "seeds": ["127.0.0.1:9300", "127.0.0.1:9301"]
        },
        "cluster_two": {
          "seeds": ["127.0.0.1:9300"]
        }
      }
    }
  }
}

PUT project
{}

POST cluster_one:project,cluster_two:project/_search
{
  "query": {
    "match_all": {}
  }
}

On 2.8.0: Screenshot 2023-08-09 at 9 11 09 AM

On 2.9.0: Screenshot 2023-08-08 at 4 33 12 PM

Xtansia on Aug 8, 2023