[BUG] SAML Authentication does not apply local database roles to the user. #1419
Comments
clenkiu
changed the title
|
Transferring to the security plugin. If this is an incorrect transfer, please @ me and I'll move it back. Thanks! |
|
Hi @clenkiu as this issue doesn't seem to be related to any bug or feature request, It might be more helpful to raise a ticket in the OpenSearch forum where we are usually quick to help with similar questions. |
|
@Anthony7774 Hey, can you say a few more words on why you think this isn't a bug? It seems like a gap in expected behavior. Thanks! /C |
|
@clenkiu This is by design, the internal backend role db is only for basic_auth, in case of SAML, the roles need to be provided and extracted from SAML response. |
|
Closing. @clenkiu please feel free to reopen if you disagree with @Anthony7774's assessment. |
gaobinlong
pushed a commit
to gaobinlong/security
that referenced
this issue
Aug 30, 2023
* Fixing dynamic tenancy changes for opensearchdasbhoard.yaml Signed-off-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com>
gaobinlong
pushed a commit
to gaobinlong/security
that referenced
this issue
Aug 30, 2023
…ect#1450) * Replace legacy template with index template (opensearch-project#1359) Signed-off-by: Chang Liu <lc12251109@gmail.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * added loginEndPointWithPath (opensearch-project#1358) * added loginEndPointWithPath Signed-off-by: Mattijs Vanhaverbeke <mattijs-v@live.be> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Add release notes for 1.3.9 (opensearch-project#1379) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * No blank backend role before adding a new one in Create User page (opensearch-project#1384) * Add last backend role empty check Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> * Add backend role empty check Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> * Add strict comparison Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> * Fix lint errors Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> * Add tests for backend role panel Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> * Fix lint errors Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> --------- Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> Co-authored-by: nursaadat <SNursultan@dar.kz> Co-authored-by: Saadat Nursultan <nursultan.saadat@gmail.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Fix script for Windows (opensearch-project#1393) * Fix script for Windows Signed-off-by: nurbqq <nurbakhyt.sembayev@gmail.com> Signed-off-by: nurbqq <106753054+nurbq@users.noreply.github.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding new actions for ppl and datasource apis (opensearch-project#1395) * Adding new actions for ppl and datasource apis Signed-off-by: vamsi-amazon <reddyvam@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Fix "Get started" image is not adaptive to the browser window size. (opensearch-project#1396) * Fixed get-started page image not adapting to the browser window size Signed-off-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> * Update fix by applying suggested changes Signed-off-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> * Update unit tests snapshot Signed-off-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> --------- Signed-off-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Split up a value into multiple cookie payloads (opensearch-project#1352) * PoC for splitting up a value into multiple cookie payloads Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * Cookie splitting for OpenId and SAML Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * Changes after review comments Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * WIP: First unit tests Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * More unit tests Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * Fix for multi auth, request argument was missing Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * Fixed linting errors Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> * Added one additional cookie for the SAML integration tests Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> --------- Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Dynamic tenancy configurations (opensearch-project#1394) * Dynamic multitenancy feature. Signed-off-by: Abhi Kalra <abhivka@amazon.com> * Dynamic multitenancy feature -PR feedback Signed-off-by: Abhi Kalra <abhivka@amazon.com> --------- Signed-off-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Add release notes for 2.7.0 (opensearch-project#1407) * Add release notes for 2.7.0 Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removes tiny.amazon.com links (opensearch-project#1420) Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Fixing dynamic tenancy changes for issues 1412 (opensearch-project#1419) * Fixing dynamic tenancy changes for opensearchdasbhoard.yaml Signed-off-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Change the testuser's password in some integration test cases into a stronger password (opensearch-project#1428) * Change the testuser's password into a stronger password Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Increment version to 3.0.0.0 (opensearch-project#1414) Signed-off-by: opensearch-ci-bot <opensearch-infra@amazon.com> Co-authored-by: opensearch-ci-bot <opensearch-infra@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adds the newly created admin api permissions to the static dropdown list (opensearch-project#1426) * Adds the newly created admin api permissions to the static dropdown of permissions displayed when creating/modifying a role --------- Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Update account-nav-button.tsx Fix added to set the window.location to the pathname, rather than just reload & clear lastURL as it would be from the previous tenant. Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Update account-nav-button.tsx Adding comments to explain changes Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * add new cluster permissions constants for lron (opensearch-project#1444) Signed-off-by: zhichao-aws <zhichaog@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * removing whitespace due to linting fix Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests for account-nav-button wip Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * put commented code to original state Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Skip flaky SAML test as it awaits a fix (opensearch-project#1453) Signed-off-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Use version from package.json for integration tests (opensearch-project#1463) * Use version from package.json for integration tests Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adds 2.8 release notes (opensearch-project#1464) Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Co-authored-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests to jest test for tenant switch. Putting test in correct folder and renaming function. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * handle switch calling correct function Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * checking for session storage Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * adding window to make sessionStorage more explicit Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Moved the test into account-nav-button.test.tsx Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing additional files. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Declared session storage as a constant Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Update account-nav-button.tsx Fix added to set the window.location to the pathname, rather than just reload & clear lastURL as it would be from the previous tenant. Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Update account-nav-button.tsx Adding comments to explain changes Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * removing whitespace due to linting fix Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests for account-nav-button wip Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * put commented code to original state Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests to jest test for tenant switch. Putting test in correct folder and renaming function. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * handle switch calling correct function Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing additional files. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Fix unwanted changes Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Update account-nav-button.tsx Fix added to set the window.location to the pathname, rather than just reload & clear lastURL as it would be from the previous tenant. Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests for account-nav-button wip Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests to jest test for tenant switch. Putting test in correct folder and renaming function. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * checking for session storage Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Declared session storage as a constant Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests for account-nav-button wip Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Adding tests to jest test for tenant switch. Putting test in correct folder and renaming function. Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Moved the test into account-nav-button.test.tsx Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Dynamic tenancy configurations (opensearch-project#1394) * Dynamic multitenancy feature. Signed-off-by: Abhi Kalra <abhivka@amazon.com> * Dynamic multitenancy feature -PR feedback Signed-off-by: Abhi Kalra <abhivka@amazon.com> --------- Signed-off-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Fixing dynamic tenancy changes for issues 1412 (opensearch-project#1419) * Fixing dynamic tenancy changes for opensearchdasbhoard.yaml Signed-off-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing Prerequisite Checks Workflow (opensearch-project#1456) Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Use version from package.json for integration tests (opensearch-project#1463) * Use version from package.json for integration tests Signed-off-by: Craig Perkins <cwperx@amazon.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> * Removing unneded file Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> --------- Signed-off-by: Chang Liu <lc12251109@gmail.com> Signed-off-by: leanneeliatra <leanne.laceybyrne@eliatra.com> Signed-off-by: Ryan Liang <jiallian@amazon.com> Signed-off-by: nursaadat <SNursultan@dar.kz> Signed-off-by: Saadat Nursultan <nursultan.saadat@gmail.com> Signed-off-by: nurbqq <nurbakhyt.sembayev@gmail.com> Signed-off-by: nurbqq <106753054+nurbq@users.noreply.github.com> Signed-off-by: vamsi-amazon <reddyvam@amazon.com> Signed-off-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> Signed-off-by: Jochen Kressin <jochen.kressin-gh@eliatra.com> Signed-off-by: Abhi Kalra <abhivka@amazon.com> Signed-off-by: Darshit Chanpura <dchanp@amazon.com> Signed-off-by: opensearch-ci-bot <opensearch-infra@amazon.com> Signed-off-by: Leanne Lacey-Byrne <leanne.laceybyrne@eliatra.com> Signed-off-by: zhichao-aws <zhichaog@amazon.com> Signed-off-by: Craig Perkins <craig5008@gmail.com> Signed-off-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Signed-off-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Chang Liu <lc12251109@gmail.com> Co-authored-by: mattieserver <3049868+mattieserver@users.noreply.github.com> Co-authored-by: Ryan Liang <109499885+RyanL1997@users.noreply.github.com> Co-authored-by: Saadat Nursultan <39532643+nurSaadat@users.noreply.github.com> Co-authored-by: nursaadat <SNursultan@dar.kz> Co-authored-by: Saadat Nursultan <nursultan.saadat@gmail.com> Co-authored-by: Nurbakhyt Sembayev <106753054+nurbq@users.noreply.github.com> Co-authored-by: Stephen Crawford <65832608+scrawfor99@users.noreply.github.com> Co-authored-by: Vamsi Manohar <reddyvam@amazon.com> Co-authored-by: Sirazh Gabdullin <sirazh.gabdullin@nu.edu.kz> Co-authored-by: Jochen Kressin <126353411+jochen-kressin@users.noreply.github.com> Co-authored-by: Abhi Kalra <99718513+abhivka7@users.noreply.github.com> Co-authored-by: Abhi Kalra <abhivka@amazon.com> Co-authored-by: Darshit Chanpura <35282393+DarshitChanpura@users.noreply.github.com> Co-authored-by: opensearch-trigger-bot[bot] <98922864+opensearch-trigger-bot[bot]@users.noreply.github.com> Co-authored-by: opensearch-ci-bot <opensearch-infra@amazon.com> Co-authored-by: zhichao-aws <zhichaog@amazon.com> Co-authored-by: Craig Perkins <cwperx@amazon.com> Co-authored-by: Darshit Chanpura <dchanp@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A user authenticated in the OpenSearch Dashboard via SAML authentication doesn't have the backend roles assigned to him in the local database.
If the authentication configuration is changed from SAML to Basic, the roles are handled properly in the Dashboard.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
OpenSearch should match the username received in the SAML element NameID and match the existing roles configured in the local database.
Plugins
[opensearch@ngls-opensearch ~]$ bin/opensearch-plugin list
opensearch-alerting
opensearch-anomaly-detection
opensearch-asynchronous-search
opensearch-index-management
opensearch-job-scheduler
opensearch-knn
opensearch-notebooks
opensearch-performance-analyzer
opensearch-reports-scheduler
opensearch-security
opensearch-sql
Screenshots
From the logs it seems that the code tries to get roles from the SAML response instead of using the local database.
[2021-08-17T20:53:19,075][WARN ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [opensearch-node] Failed to get roles from JWT claims with roles_key 'roles'. Check if this key is correct and available in the JWT payload.
[2021-08-17T20:53:19,075][DEBUG][o.o.s.a.BackendRegistry ] [opensearch-node] Rest user 'User [name=*************, backend_roles=[], requestedTenant=null]' is authenticated
The text was updated successfully, but these errors were encountered: