-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GraphQL Transformer v1 to v2 migration - @searchable with auth rule for groupsField is not returning results from OpenSearch #3060
Comments
Hi @malcomm 👋 thanks for raising this issue. Can you share the network request, payload, and response from AppSync? I'm curious to see what the headers are and what the response looks like. are you getting an empty array vs null, or are you getting some data but not relational, etc. It's also worth noting that there are some breaking changes for OpenSearch instances when migrating from graphql transformer v1 to v2. You have to reindex the data in OpenSearch again. From the docs:
|
@chrisbonifacio - thanks for the response. Please see log output from AppSync: Response is empty array:
Also of note, when I am logged in with the same user and I run the
I am including the logs for a different user, which has the role of
And just to be sure: during the v1 to v2 upgrade process I initially removed the |
It looks like from the log.txt file the Request headers had an |
@chrisbonifacio yes the project is using Cognito auth. Here are all the resolvers for that query: Query.searchResearchSubjects.auth.1.req.vtl.txt Thank you |
@chrisbonifacio - any updates on this? Thank you |
Hi @malcomm I don't see anything obviously wrong with the way the VTL template was generated. Just out of curiosity, can you share how the groups are defined and spelled on the user's access token? My best guess is there must be some discrepancy between the group on the record and the group on the Cognito access token. It might also help to see what the auth VTL template looks like for the |
@chrisbonifacio - Here are the Query.listResearchSubjects.auth.1.req.vtl.txt The groups from the auth token are exactly how they are in Cognito. |
@chrisbonifacio - any luck looking a those templates? Thank you -- marcus |
Thank you for sharing the other auth template. There are some differences in the way they check for group auth which might be causing some inconsistencies in the way the auth rule is implemented between them.
https://opensearch.org/docs/latest/query-dsl/term/terms-set/ might be related to this old issue regarding the auth resolver for searchable queries: aws-amplify/amplify-cli#5833 To try a potential wokraorund for this issue, can you try changing the seach resolver's logic to this and let me how it goes? -#set( $group0 = {
- "terms_set": {
- "groupsCanAccess": {
- "terms": $groupClaim0,
- "minimum_should_match_script": {
- "source": "1"
- }
- }
- }
+#set( $group0 = {
+ "terms": {
+ "groupsCanAccess": $groupClaim0
+ }
+}) This modification should make the search behavior more consistent with the list operation by using a simpler terms query instead of the more restrictive You already confirmed but anyone else running into this issue should ensure that the group field on the schema contains the exact group names that match the Cognito group names, as the comparison is case-sensitive and must match exactly. |
I'm also going to transfer this issue over to the category-api repo for better support related to OpenSearch, behaviors related to autogenerated resolvers, and migration in general. |
@AnilMaktala - hello! Any ideas what's going on here? Development is blocked on this. |
Hey @malcomm, Have you attempted the workaround suggested in the following link: #3060 (comment)? Additionally, if you are on Discord, kindly share your Discord username. |
@AnilMaktala - I just tried the workaround and either I'm not making the change correctly or the change is not working. |
Hey @malcomm, thanks for sharing resolver-related information and issue context. We'll investigate further and see what's going on with the generated resolvers. Will get to you once we have further discoveries. Thanks again for your patience and followup. |
Hey @malcomm,Apologies for the delay. I was unable to reproduce the issue using the schema provided below. Please let me know your availability for a follow-up call.
|
@AnilMaktala - thanks for getting back to me. I have time today (1/2) or tomorrow; fairly open for times. I will also try to contact you on Discord. |
Hey @malcomm Thank you for your time. This issue is reproducible with groups that have capitalizations in the group name, such as "Acuity200OKSite07." I am marking this as a bug for the team to evaluate further. |
@AnilMaktala - any updates on this? Thank you |
Before opening, please confirm:
JavaScript Framework
Angular
Amplify APIs
GraphQL API
Amplify Version
v5
Amplify Categories
api
Backend
Amplify CLI
Environment information
Describe the bug
I'm in the middle of a GraphQL Transformer v1 to v2 migration and so far things are working pretty well. I ran into an issue with OpenSearch where a user that has access to a model via groupsField:
Is not able to return any results using a search function: searchResearchSubjects. This works just fine for admins and this worked under v1.
When reading the documentation for the upgrade I don't believe it mentions this is no longer supported, but maybe I missed something?
Note: the user is able to return records from
list
andget
which hit DynamoDB.Expected behavior
A user that has access to records via
groupsField
should return records correctly from OpenSearch.Reproduction steps
@searchable
and@auth
rule withgroupsField
Code Snippet
Log output
aws-exports.js
No response
Manual configuration
No response
Additional configuration
No response
Mobile Device
No response
Mobile Operating System
No response
Mobile Browser
No response
Mobile Browser Version
No response
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: