Skip to content

Validate api_type matches path in ClusterMetricsInput#912

Merged
AWSHurneyt merged 1 commit intoopensearch-project:mainfrom
manaswini1920:fix/validate-api-type-cluster-metrics
Mar 11, 2026
Merged

Validate api_type matches path in ClusterMetricsInput#912
AWSHurneyt merged 1 commit intoopensearch-project:mainfrom
manaswini1920:fix/validate-api-type-cluster-metrics

Conversation

@manaswini1920
Copy link
Contributor

@manaswini1920 manaswini1920 commented Mar 10, 2026
edited
Loading

Description

When creating a cluster metrics monitor, the api_type field was never parsed in ClusterMetricsInput.parseInner() — the user-provided value is ignored entirely. The clusterMetricType is always derived from the path via findApiType(constructedUri. path) in the init block. This allowed creating monitors with mismatched api_type and path fields (e.g., user sends api_type: CLUSTER_STATS with path: /_cat/indices, but CAT_INDICES is derived from the path). These malformed monitors could no
t be deleted via the DeleteMonitor API, failing with "The provided URL and URI fields form different URLs."

Added validation in parseInner to parse the api_type field and reject requests where the provided api_type does not match the type derived from the path.

Testing

Before fix — monitor created successfully. User-provided api_type is ignored, type is derived from path instead:
json

POST plugins/alerting/monitors                                                                                                                                                                                                                                
// api_type: CLUSTER_STATS, path: /_cat/indices/*?format=json&bytes=b                                                                                                                                                                                         
                                                                                                                                                                                                                                                              
Response: 200 OK — api_type stored as CAT_INDICES (derived from path, user input ignored)                                                                                                                                                                     
                                                                                                                                                                                                                                                              
// Attempting to delete fails:                                                                                                                                                                                                                                
DELETE plugins/alerting/monitors/<monitor_id>                                                                                                                                                                                                                 
{ "error": { "reason": "The provided URL and URI fields form different URLs." }, "status": 400 }

After fix — monitor creation rejected with clear error:
json

POST plugins/alerting/monitors                                                                                                                                                                                                                                
// Same request                                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                              
Response: 400 Bad Request                                                                                                                                                                                                                                     
{ "error": { "reason": "The provided api_type [CLUSTER_STATS] does not match the path [/_cat/indices/*?format=json&bytes=b]." }, "status": 400 }

Related Issues

Resolves opensearch-project/alerting#1987

Check List

  • [X ] New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • [X ] Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Validate api_type matches path in ClusterMetricsInput
35c2351 
When creating a cluster metrics monitor, the api_type field was silently
ignored during deserialization. This allowed creating monitors with
mismatched api_type and path fields, which then could not be deleted
via the DeleteMonitor API.

Added validation in parseInner to reject requests where the provided
api_type does not match the API derived from the path.

Signed-off-by: Manaswini Ragamouni <ragamanu@amazon.com>

Resolves opensearch-project/alerting#1987

Signed-off-by: Manaswini Ragamouni <ragamanu@amazon.com>
@toepkerd
Copy link
Collaborator

toepkerd commented Mar 10, 2026
edited
Loading

Code change looks good to me. In your failure case example above, user passes in api_type=CLUSTER_STATS, then it is silently changed to api_type=CAT_INDICES. Do we know where that silent change happens? Appears at first glance to be a fallback to some default value.

@manaswini1920
Copy link
Contributor Author

manaswini1920 commented Mar 10, 2026

Code change looks good to me. In your failure case example above, user passes in api_type=CLUSTER_STATS, then it is silently changed to api_type=CAT_INDICES. Do we know where that silent change happens? Appears at first glance to be a fallback to some default value.

│ Good catch on the wording — there's no silent change or fallback happening. The api_type field was never parsed in parseInner(), so the user-provided value is ignored entirely. The clusterMetricType is always derived from the path via findApiType(constructedUri.path) in the init block (line 72). So when the monitor is serialized back via toXContent, it writes the derived type (CAT_INDICES) rather than what the user sent (CLUSTER_STATS). I'll update the PR description to clarify this.

@AWSHurneyt AWSHurneyt merged commit 5103490 into opensearch-project:main Mar 11, 2026
9 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 11, 2026
@github-actions
Validate api_type matches path in ClusterMetricsInput (#912)
9531b9c 
When creating a cluster metrics monitor, the api_type field was silently
ignored during deserialization. This allowed creating monitors with
mismatched api_type and path fields, which then could not be deleted
via the DeleteMonitor API.

Added validation in parseInner to reject requests where the provided
api_type does not match the API derived from the path.

Resolves opensearch-project/alerting#1987

Signed-off-by: Manaswini Ragamouni <ragamanu@amazon.com>
Co-authored-by: Manaswini Ragamouni <ragamanu@amazon.com>
(cherry picked from commit 5103490)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Mar 11, 2026
Merged
AWSHurneyt pushed a commit that referenced this pull request Mar 12, 2026
@opensearch-trigger-bot @github-actions
Validate api_type matches path in ClusterMetricsInput (#912) (#914)
08b51de 
When creating a cluster metrics monitor, the api_type field was silently
ignored during deserialization. This allowed creating monitors with
mismatched api_type and path fields, which then could not be deleted
via the DeleteMonitor API.

Added validation in parseInner to reject requests where the provided
api_type does not match the API derived from the path.

Resolves opensearch-project/alerting#1987



(cherry picked from commit 5103490)

Signed-off-by: Manaswini Ragamouni <ragamanu@amazon.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Manaswini Ragamouni <ragamanu@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@engechas engechas engechas approved these changes

@riysaxen-amzn riysaxen-amzn riysaxen-amzn approved these changes

@AWSHurneyt AWSHurneyt AWSHurneyt approved these changes

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@bowenlan-amzn bowenlan-amzn Awaiting requested review from bowenlan-amzn bowenlan-amzn is a code owner

@rishabhmaurya rishabhmaurya Awaiting requested review from rishabhmaurya rishabhmaurya is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90 sbcd90 is a code owner

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon jowg-amazon is a code owner

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@toepkerd toepkerd Awaiting requested review from toepkerd toepkerd is a code owner

Assignees

No one assigned

Labels

backport 2.19

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] Cluster metrics monitor - can create malformed monitor

5 participants

@manaswini1920 @toepkerd @engechas @riysaxen-amzn @AWSHurneyt