Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Unhelpful error message when failing to authenticate with Amazon OpenSearch Service #2655

Closed
dlvenable opened this issue May 8, 2023 · 4 comments · Fixed by #2813
Closed

[BUG] Unhelpful error message when failing to authenticate with Amazon OpenSearch Service #2655

dlvenable opened this issue May 8, 2023 · 4 comments · Fixed by #2813
Assignees
@chenqi0805
Labels
bug Something isn't working
Milestone
v2.3

Comments

@dlvenable
Copy link
Member

dlvenable commented May 8, 2023
edited
Loading

Describe the bug

Data Prepper is showing an error that looks like the following:

[security_exception] authentication/authorization failure

Expected behavior

Data Prepper used to have a clearer error:

[security_exception] no permissions for [indices:admin/get] and User [name=arn:aws:iam::123456789012:role/FullAccess, backend_roles=[arn:aws:iam::123456789012:role/FullAccess], requestedTenant=null]

Additionally, the OpenSearch username or STS role should always be included in the response.

For example:

The role "arn:aws:iam::123456789012:role/FullAccess" was unable to authenticate with the OpenSearch domain. Please check your permissions.
@dlvenable dlvenable added bug Something isn't working untriaged labels May 8, 2023
@dlvenable
Copy link
Member Author

dlvenable commented May 8, 2023
edited
Loading

This appears to be coming from :

https://github.com/opensearch-project/opensearch-java/blob/e422eb0263847bd1ca867c8c109bbb15463fae5b/java-client/src/main/java/org/opensearch/client/transport/aws/AwsSdk2Transport.java#L452-L453

@dlvenable dlvenable mentioned this issue May 8, 2023
Closed
@dlvenable dlvenable changed the title [BUG] OpenSearch sink exception for authorization issue is not helpful [BUG] OpenSearch sink exception for authorization with Amazon OpenSearch Service is not helpful May 8, 2023
@dlvenable dlvenable changed the title [BUG] OpenSearch sink exception for authorization with Amazon OpenSearch Service is not helpful [BUG] Unhelpful error message when failing to authenticate with Amazon OpenSearch Service May 8, 2023
@dlvenable
Copy link
Member Author

See #2657 for a similar problem with username/password authentication.

@dlvenable dlvenable moved this from Unplanned to To do in Data Prepper Tracking Board May 8, 2023
@dlvenable dlvenable assigned dlvenable and chenqi0805 and unassigned dlvenable and chenqi0805 May 8, 2023
@dlvenable dlvenable added this to the v2.3 milestone May 8, 2023
@chenqi0805 chenqi0805 mentioned this issue May 9, 2023
Closed
@chenqi0805
Copy link
Collaborator

Opened an issue in opensearch-java: opensearch-project/opensearch-java#473.

@dlvenable
Copy link
Member Author

@chenqi0805 , Is it possible to detect that an authentication issue occurred and then log the following message even without opensearch-project/opensearch-java#473?

The role "arn:aws:iam::123456789012:role/FullAccess" was unable to authenticate with the OpenSearch domain. Please check your permissions.

It would be nice to add this additional logging in v2.3.

@chenqi0805 chenqi0805 mentioned this issue Jun 2, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chenqi0805 chenqi0805

Labels
bug Something isn't working
Projects
Data Prepper Tracking Board
Archived in project
Milestone
v2.3
Development

Successfully merging a pull request may close this issue.

FIX: bump opensearch-java version to fix unhelpful log message opensearch-project/data-prepper
2 participants
@dlvenable @chenqi0805