API issue

[y0d4a]

Hi,
I’m not sure if this is related to my recent Malcolm upgrade, but I had a script that used to recreate indices and manage snapshots. After a wipe/redeploy, that script now fails with:

{"error":{"root_cause":[{"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=XXX, backend_roles=[capture_service], requestedTenant=null]"}],"type":"security_exception","reason":"no permissions for [indices:admin/create] and User [name=XXX, backend_roles=[capture_service], requestedTenant=null]"},"status":403}[*]

I tried multiple approaches (editing OpenSearch roles mappings, adding certs to the request), but nothing has worked so far.
Did something change in the default roles/permissions, or am I missing a step from my original setup?

Thanks!

[mmguero]

From the capture_service role there, I'm assuming the XXX account used here is the malcolm_internal account used for automation within the platform? Or if not, one created like it.

Either way, I think the issue is here in opensearch-config/config/opensearch-security/roles.yml. When creating the role for this internal account, indices:admin/create wasn't one I included as needed for normal operations, but I can see why for custom scripting it would be useful.

I'll create an issue from this to add that permission to that service account. In the meantime, you've got a couple of options:

• Edit the roles.yml file to add the missing permission and bind mount it into your opensearch service volumes section, like this:

    - type: bind
      bind:
        create_host_path: false
      source: ./opensearch-config/config/opensearch-security/roles.yml
      target: /usr/share/opensearch/config/opensearch-security/roles.yml
      read_only: true

and restart Malcolm. If you're running OpenSearch some other way (external to Malcolm?) or whatever, you'll have to do the equivalent.

• The other option is to edit the roles.yml file to add the missing permissions, then build the opensearch container (./scripts/build.sh opensearch) and then restart Malcolm.

I think/hope that upon starting up it'll pick up that new roles file and modify the role that already exists.

I'm hopeful this should get you going.

[mmguero]

tracking #885

[y0d4a]

you mean like this?

if yes, i am still unable to execute, same error

p.s.: i done with mount and editing roles.yml

[y0d4a]

Hm, adding like this fixed it:

[mmguero]

Thanks for letting me know. I'll be sure that's what ends up in the next release.