-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]Can't add permission for Notification. Permissions [cluster:admin/opensearch/notifications/*] don't exist #541
Comments
Hello, Team! Is there any update on this issue? This bug is very critical for us, since we can't provide appropriate permission for end customers of our OpenSearch cluster. |
Hi @qmonitoring, It looks like these options are populated in part by the CLUSTER_PERMISSIONS constant in the Security OpenSearch Dashboards plugin where the Notifications cluster permissions are missing. We'll need to add them there so they can be selected when creating a Role. |
@qreshi, thank you for your reply! This is most likely the reason. |
Hello @qreshi , I am experiencing an issue that pertains to this bug and would like to ask if has been prioritized. |
Hello @qreshi. We are also running into the exact same situation. Any idea if this will get addressed in the near future? |
Hey @glewis-vectra and @LucDesaulniers. It appears the change still hasn't been done on the Security Dashboards side. I can't say for sure if this will be backported (since that is up to the Security team) but I'll tag this issue for 2.5 to ensure it is prioritized to be part of the next upcoming release. |
Thank you @qreshi. At least now we know it will get looked at. |
The change has been merged in and should be available in 2.5. |
@qreshi I just installed 2.5 and still getting the message "Notifications plugin is not installed" when a non-admin user is tryin to update a monitor within the action section. Please see attached. The permissions have been updated accordingly using the latest addition but no improvement. Am I missing something? |
Same here. Took a look at the 2.5 release notes and it seems that the fix was not included in this release. Unless I'm wrong of course. |
@guillaumeldc Just to clarify, you're not seeing this "Notifications plugin is not installed" banner as an admin user? |
@LucDesaulniers The discrepancy that was originally called out in this issue was missing cluster permissions in the dropdown on the OpenSearch Dashboards side. That fix was included in 2.5 of Security Dashboards. That |
@qreshi no I'm not seeing the banner as an admin user. I've investigated a bit the issue and found out that the following two permissions must also be added to the user's permissions:
the error we were getting was stating: There was a problem getting plugins list with resp "[security_exception] no permissions for [cluster:monitor/state] and User [name=test_user, backend_roles=[managers], requestedTenant=my_tenant]" this might not a notifications plugin bug in the end and more related to the alerting plugin? Definitely a separate issue. |
@guillaumeldc Thanks for looking into it. Yeah, this makes sense since that permission seems to be required to make the "list plugins API call" that's being used to determine whether Notifications is installed. It seems the alerting_full_access role grants all Would you mind creating an issue for this in the https://github.com/opensearch-project/alerting-dashboards-plugin repo? We can continue discussions there and possibly loop in folks from the Security plugin to understand the correct flow for Alerting Dashboards, possibly by making this an elevated call in the background outside of the user context, since it's a validation being done by the plugin. |
@qreshi will do! thanks for your help. |
Thanks @qreshi. Will go ahead with 2.5 then! |
What is the bug?
It is impossible to add any cluster:admin/opensearch/notifications permission, thought it's a necessary condition for users to have access to the Channels
How can one reproduce the bug?
Steps to reproduce the behavior:
"error": "Forbidden", "message": "[security_exception] no permissions for [cluster:admin/opensearch/notifications/features] and User [name=...
"error": "Forbidden", "message": "[security_exception] no permissions for [cluster:admin/opensearch/notifications/configs/get] and User [name=...
What is the expected behavior?
Worked procedure for permission providing.
What is your host/environment?
opensearch-alerting 2.1.0.0
opensearch-notifications 2.1.0.0
opensearch-security 2.1.0.0
Additional info
OpenSearch security config
Authentication and authorization: LDAP enabled
The text was updated successfully, but these errors were encountered: