fix: added OpenSearch security calls under feature flag#1296
Merged
edwinjosechittilappilly merged 21 commits intorelease-saas-0.1from Apr 8, 2026
Merged
fix: added OpenSearch security calls under feature flag#1296edwinjosechittilappilly merged 21 commits intorelease-saas-0.1from
edwinjosechittilappilly merged 21 commits intorelease-saas-0.1from
Conversation
github-actions
bot
added
backend
lucaseduoli
changed the title
github-actions
bot
added
bug
github-actions
bot
added
bug
lucaseduoli
force-pushed
the
fix/opensearch_calls
branch
from
eac55b2 to
6998235
Compare
github-actions
bot
added
bug
Collaborator
edwinjosechittilappilly
left a comment
edwinjosechittilappilly
left a comment
There was a problem hiding this comment.
Crititcal issues with Docker image
github-actions
bot
added
bug
Collaborator
|
@lucaseduoli 2 critical updates:
|
Collaborator
|
example: in roles.yml and downstream api calls that uses this. |
github-actions
bot
added
docker
bug
Grant additional index and cluster permissions for openrag_user_role in both securityconfig and cloud_securityconfig: add indices:admin/refresh and indices:data/write/delete|update/byquery, introduce an api_keys (api_keys*) entry with CRUD and mappings permissions constrained by a DLS on user_id, and allow CRUD on .opendistro-alerting-config. Also add cluster:monitor/* to securityconfig and update .gitignore to ignore /opensearch-data2.
github-actions
bot
added
bug
When building role index_permissions, only append the dynamic current index (and its wildcard) to entries that include a DLS filter. Previously the index name was added to any permission with index_patterns, which could cause OpenSearch to prefer a no-DLS entry (e.g. alerting config) and bypass filtering. The change adds an explicit check for "dls" on the permission, preserves knowledge_filters, avoids duplicates, and sorts the resulting patterns.
github-actions
bot
added
bug
github-actions
bot
added
bug
Add orag-* to openrag_user_role index patterns. Refactor setup_opensearch_security to stop injecting the current index into role DLS entries and instead fetch and merge existing all_access role mappings. The code now preserves existing users, hosts, and backend_roles (excluding the all_access backend role), and appends both the plain admin username and its ibmlhapikey_ variant when IBM auth is enabled, ensuring multi-tenant deployments don't lose prior admins. Also remove the unused get_index_name import and improve logging when no existing mapping is found.
github-actions
bot
added
bug
github-actions
bot
added
bug
Avoid AttributeError when OPENSEARCH_JWT_TOKEN is not set. Add a truthiness check so startswith is only called if token is not None/empty. Existing fallback to jwt.encode remains unchanged.
…/openrag into fix/opensearch_calls
github-actions
bot
added
bug
Include `orag*` in index_patterns for openrag_user_role so indices without the hyphen (e.g. `orag123`) are matched in addition to `orag-*`. Note: the added pattern is unquoted in the file; consider quoting it ("orag*") to avoid potential YAML parsing issues.
github-actions
bot
added
bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new set of OpenSearch security configurations specifically for cloud deployments, improves the application of Document-Level Security (DLS), and adds a comprehensive test script for validating ACL enforcement. It also updates Dockerfiles to include the new security configuration files and makes minor improvements to the OpenSearch index initialization process.
Cloud Security Configuration:
Adds a new
cloud_securityconfig/directory with OpenSearch security configuration files for cloud environments, includingroles.yml,roles_mapping.yml,config.yml,internal_users.yml, and others. These files define custom roles (such asopenrag_user_role), role mappings, authentication domains (OIDC and internal), and DLS rules for fine-grained access control. [1] [2] [3] [4] [5] [6] [7]Updates the main
securityconfig/roles.ymlto include additional permissions and index patterns, ensuring parity with cloud settings and better DLS support. [1] [2]Dockerfile and Build Updates:
DockerfileandDockerfile.backendto copy the newcloud_securityconfig/directory into the build context and runtime images, and ensures correct file ownership for both standard and cloud security configs. [1] [2] [3]Testing and Validation:
scripts/test.shthat performs end-to-end validation of OpenSearch ACLs and DLS. The script checks cluster health, verifies user roles, inspects index mappings, and tests document visibility for different users, both with and without application-level ACL filters.Backend Improvements:
src/api/settings.pyto use the correct function and pass the admin username when IBM authentication is enabled, improving clarity and correctness during onboarding. [1] [2]