[BUG] Creating index_pattern via API/Curl for global tenant doesn't work

[rdvansloten]

I've been googling around for a solid hour now, including getting into dead issues on this very repo, but nobody has seemingly given a working answer on how to create an index pattern for the global tenant in Opensearch Dashboards.

What I have working so far:

Admin tenant:

curl 'http://my-opensearch-dashboards:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'osd-xsrf: osd-fetch' \
-u 'user:password' \
-H "securitytenant: admin_tenant" \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp" }}'

Works flawlessly. However, switching admin_tenant to global_tenant or no value produces the same visual output:

{"type":"index-pattern","id":"xyz-xyz-xyz","attributes":{"title":"fluentd-*","timeFieldName":"@timestamp"},"references":[],"migrationVersion":{"index-pattern":"7.6.0"},"updated_at":"2024-07-15T21:55:05.903Z","version":"WzYsMV0=","namespaces":["default"]}

What also works is copying the entire browser request as a CURL. I noticed that when going into the browser local storage, this value:

opendistro::security::tenant::saved

is set to admin_tenant when on the admin_tenant, and to "" (not empty, but two quotes) when on global. However, when passing securitytenant: "" in a header, it defaults to creating it in __user__

When I dump two almost identical requests from the browser in OS Dashboards to CURL, the only difference is the cookie:

This one creates in admin:

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: localhost:56237' \
-H 'Origin: http://localhost:56237' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15' \
-H 'Referer: http://localhost:56237/app/management/opensearch-dashboards/indexPatterns/create' \
-H 'Content-Length: 17466' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: security_authentication=***8RS0g0'
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp","fields"
REDACTED

This one in global:

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'Accept: */*' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Host: localhost:56237' \
-H 'Origin: http://localhost:56237' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.5 Safari/605.1.15' \
-H 'Referer: http://localhost:56237/app/management/opensearch-dashboards/indexPatterns/create' \
-H 'Content-Length: 17466' \
-H 'Connection: keep-alive' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Cookie: security_authentication=***TIhBB1M' \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp","fields"
REDACTED

Sadly this is where my investigation ends, I have no idea how to decrypt a SHA265 cookie generated by Opensearch.

[rdvansloten]

As I hit enter on this, I decided to try something dumb and I set it to "global"

curl 'http://localhost:56237/api/saved_objects/index-pattern' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'osd-xsrf: osd-fetch' \
-u 'user:password' \
-H 'securitytenant: global' \
--data-binary '{"attributes":{"title":"fluentd-*","timeFieldName":"@timestamp" }}'

And it works. But this is poorly documented. Perhaps this can be fixed.

[kavilla]

@rdvansloten,

Thank you for opening. Glad you were able to find that out. Will redirect to the security repo for follow-ups on docs.

@opensearch-project/admin could please redirect to the security repo. Seems like a documentation gap but the security team can provide more feedback if needed.

[stephen-crawford]

[Triage] Hi @rdvansloten, thanks for filing this issue. It looks like this is a documentation problem so could someone from @opensearch-project/triage please transfer this over? Thank you