Open clibup opened 1 month ago
@PhilippReinke Would it be possible for you to look into the query above regarding tenant permission?
An earlier issue on tenant permissions https://github.com/opensearch-project/terraform-provider-opensearch/issues/38 @clibup could you please share terraform code, python scripts calling APIs and steps to follow, so we can reproduce the issue?
My terraform code
resource "opensearch_role" "appgroups_roles_write" {
role_name = "pm_name_write"
cluster_permissions = ["example_permission"]
index_permissions {
index_patterns = ["example_index-*"]
allowed_actions = ["read"]
}
}
resource "opensearch_roles_mapping" "appgroups_mapper_write" {
role_name = "pm_name_write"
backend_roles ="pm_example_write"
}
and JSON which are uploaded with REST
_upload = {
"cluster_permissions": ["example_permission"],
"index_permissions": [{
"index_patterns": "example_index-*",
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}],
"tenant_permissions": [{
"tenant_patterns": [],
"allowed_actions": []
}],
}
Creating role using using the API call
PUT _plugins/_security/api/roles/movies_role
{
"cluster_permissions": ["*"],
"index_permissions": [{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}],
"tenant_permissions": [{
"tenant_patterns": [],
"allowed_actions": []
}]
}
GET _plugins/_security/api/roles/movies_role
gives
{
"movies_role": {
"reserved": false,
"hidden": false,
"cluster_permissions": [
"*"
],
"index_permissions": [
{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}
],
"tenant_permissions": [
{
"tenant_patterns": [],
"allowed_actions": []
}
],
"static": false
}
}
Creating using terraform code
terraform {
required_providers {
opensearch = {
source = "opensearch-project/opensearch"
version = "2.2.1"
}
}
}
provider "opensearch" {
url = "https://localhost:9200"
username = "admin"
password = "myStrongPassword123@456"
healthcheck = "false"
insecure = "true"
version_ping_timeout = "10"
}
resource "opensearch_role" "movies_role" {
role_name = "movies_role"
description = "Logs writer role"
cluster_permissions = ["*"]
index_permissions {
index_patterns = ["movies*"]
allowed_actions = ["read"]
}
}
resource "opensearch_roles_mapping" "mapper" {
role_name = "movies_role"
description = "Mapping AWS IAM roles to ES role"
backend_roles = [
"arn:aws:iam::123456789012:role/lambda-call-opensearch",
"arn:aws:iam::123456789012:role/run-containers",
]
depends_on = [opensearch_role.movies_role]
}
GET _plugins/_security/api/roles/movies_role
{
"movies_role": {
"reserved": false,
"hidden": false,
"description": "Logs writer role",
"cluster_permissions": [
"*"
],
"index_permissions": [
{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}
],
"tenant_permissions": [],
"static": false
}
}
Creating the role using the API call
PUT _plugins/_security/api/roles/movies_role
{
"cluster_permissions": ["*"],
"index_permissions": [{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}],
"tenant_permissions": []
}
Now GET _plugins/_security/api/roles/movies_role gives
{
"movies_role": {
"reserved": false,
"hidden": false,
"description": "Logs writer role",
"cluster_permissions": [
"*"
],
"index_permissions": [
{
"index_patterns": [
"movies*"
],
"dls": "",
"fls": [],
"masked_fields": [],
"allowed_actions": [
"read"
]
}
],
"tenant_permissions": [],
"static": false
}
}
With this API call, I don't see the error.
OK, thx for info, maybe reason is that we have about 300 roles, but the only difference I see are tenant_permissions settings and I don't have depends_on = [opensearch_role.xxxxxxx] in my terraform code. I use terraform v1.1.5 because we have to use etcdv3 as a backend.
11:45:17 Stack trace from the terraform-provider-opensearch_v2.2.1 plugin: 11:45:17
11:45:17 panic: set item just set doesn't exist 11:45:17
11:45:17 goroutine 452 [running]: 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).setSet(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}, 0xc0001c9b80) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:327 +0x992 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).set(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:107 +0x14c 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(MapFieldWriter).WriteField(0xc000bb2bb8, {0xc000bb1490, 0x1, 0x1}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/field_writer_map.go:89 +0x3f9 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(ResourceData).Set(0xc0002ecf00, {0x103b47a, 0x12}, {0xe894e0, 0xc000bb2c00}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource_data.go:227 +0x210 11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider.resourceOpensearchOpenDistroRoleRead(0xc0002ecf00, {0xe74a80, 0xc0001542c0}) 11:45:17 github.com/opensearch-project/terraform-provider-opensearch/provider/resource_opensearch_role.go:156 +0x4cd 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).read(0x139bfa8?, {0x139bfa8?, 0xc0002c6210?}, 0xd?, {0xe74a80?, 0xc0001542c0?}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:347 +0x178 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(Resource).RefreshWithoutUpgrade(0xc000225880, {0x139bfa8, 0xc0002c6210}, 0xc0006e76c0, {0xe74a80, 0xc0001542c0}) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/resource.go:650 +0x47b 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(GRPCProviderServer).ReadResource(0xc000118348, {0x139bf00?, 0xc00069ddc0?}, 0xc00069de40) 11:45:17 github.com/hashicorp/terraform-plugin-sdk/v2@v2.12.0/helper/schema/grpc_provider.go:613 +0x45f 11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(server).ReadResource(0xc0000cf400, {0x139bfa8?, 0xc0009177d0?}, 0xc0001f61e0) 11:45:17 github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/tf5server/server.go:746 +0x438 11:45:17 github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xfd4ca0?, 0xc0000cf400}, {0x139bfa8, 0xc0009177d0}, 0xc0001f6180, 0x0) 11:45:17 github.com/hashicorp/terraform-plugin-go@v0.8.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170 11:45:17 google.golang.org/grpc.(Server).processUnaryRPC(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0xc0001daab0, 0x1a830b0, 0x0) 11:45:17 google.golang.org/grpc@v1.45.0/server.go:1282 +0xccf 11:45:17 google.golang.org/grpc.(Server).handleStream(0xc0001fca80, {0x139ecc8, 0xc000288d00}, 0xc000c7db00, 0x0) 11:45:17 google.golang.org/grpc@v1.45.0/server.go:1619 +0xa1b 11:45:17 google.golang.org/grpc.(Server).serveStreams.func1.2() 11:45:17 google.golang.org/grpc@v1.45.0/server.go:921 +0x98 11:45:17 created by google.golang.org/grpc.(Server).serveStreams.func1 11:45:17 google.golang.org/grpc@v1.45.0/server.go:919 +0x28a 11:45:17
11:45:17 Error: The terraform-provider-opensearch_v2.2.1 plugin crashed! 11:45:17
11:45:17 This is always indicative of a bug within the plugin. It would be immensely 11:45:17 helpful if you could report the crash with the plugin's maintainers so that it 11:45:17 can be fixed. The output above should help diagnose the issue.
How can one reproduce the bug?
We've used python to create roles in OpenSeach, some roles doesn't have tenant permissions and then we've uploaded tenant permissins in this way:
When I created new role with opensearch terraform provider without any tennat_permissions settings, I can see tenant_permission set by plugin just like
The problem occurs when I want to use terraform to create a role that was previously created using API and python scripts. Additionally, when such a problem occurs, I have to delete terraform.tfstate and re-import all the resources so that I can do anything with terraform.
What is your host/environment?
Ubuntu 22.04 OpenSearch 2.14