[BUG] - Stale 'cluster:admin/opendistro/reports*' permissions in schema. How to upgrade?

[camAtGitHub]

Describe the bug
Having started in OpensSearch v1.0.0 and upgraded to every point and major release inbetween (currently on 1.2.3) the permissions still contain v1.0 permissions.
In particular I'm having issues with non-admin users accessing CSV export functionality.
I suspect the issue to be caused by 'stale/old/v.1.0.0' permissions.

Example of my current reporting groups:

# reports_read_access:
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_instances_read_access
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_full_access
cluster:admin/opendistro/reports/definition/update
cluster:admin/opendistro/reports/definition/on_demand
cluster:admin/opendistro/reports/definition/delete
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

I have found a number of issues: opensearch-project/reporting#214 opensearch-project/reporting#187 opensearch-project/reporting#187 that talk about renaming the permissions (paths?) but was any rename existing permissions functionality provided to users for them to upgrade their security schema in-place?

QUESTION: How do I go about fixing the in-place v.1.0.0 security schema now running on OS v.1.2.3?

To Reproduce
Steps to reproduce the behavior:

1. install opensearch v.1.0.0
2. configure an in-depth RBAC permission scheme for indexes etc
3. Upgrade to 1.2.3 via all versions inbetween.
4. Try get a non-admin user to export a CSV file

Expected behavior
non-admin user can export a CSV file

Plugins
OpenSearch v.1.2.3 - Docker image

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):
OpenSearch v.1.2.3 - Docker image

Additional context
Trying to export a CSV for non-user via reporting dashboard generates the following logs:

[2022-01-04T10:40:21,824][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,826][INFO ][o.o.r.i.ReportInstancesIndex] [charlie-act-dksn-elh1] reports:getAllReportInstances from:0, maxItems:10000, retCount:1, totalCount:1
[2022-01-04T10:40:21,828][INFO ][o.o.r.a.ReportDefinitionActions] [charlie-act-dksn-elh1] reports:ReportDefinition-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,829][INFO ][o.o.r.i.ReportDefinitionsIndex] [charlie-act-dksn-elh1] reports:getAllReportDefinitions from:0, maxItems:10000, retCount:0, totalCount:0
[2022-01-04T10:40:25,508][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-info y0CmJH4BSPf3xfYmupx9
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No index-level perm match for User [name=campbelltest, backend_roles=[os_reports_instances_read_access], requestedTenant=__user__] Resolved [aliases=[radius], allIndices=[.ds-radius-2022-000001, radius-2020-04, radius-2020-02, radius-2021-02, .ds-radius-2021-10-000001, radius-2021-05, radius-2020-05, radius-2021-07, radius-2020-07, radius-2021-08, radius-2020-11, radius-2020-03, radius-2020-09, radius-2021-06, radius-2021-01, radius-2020-12, .ds-radius-2021-000001, radius-2020-08, .ds-radius-import-2021-000001, radius-2020-10, radius-2020-01, radius-2021-04, radius-2021-03, radius-2020-06], types=[*], originalRequested=[radius], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [acme_ldap_elastic_netsupp, os_reports_instances_read_access, reports_full_access, kibana_user, reports_read_access, reports_instances_read_access]]
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No permissions for [indices:monitor/settings/get]

These are the current permission groups:

# reports_read_access:
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_instances_read_access
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# reports_full_access
cluster:admin/opendistro/reports/definition/update
cluster:admin/opendistro/reports/definition/on_demand
cluster:admin/opendistro/reports/definition/delete
cluster:admin/opendistro/reports/definition/get
cluster:admin/opendistro/reports/definition/list
cluster:admin/opendistro/reports/instance/list
cluster:admin/opendistro/reports/instance/get
cluster:admin/opendistro/reports/menu/download

# ag_reports_instances_read_access:
cluster:admin/opensearch/reports/instance/list
cluster:admin/opensearch/reports/instance/get
cluster:admin/opensearch/reports/menu/download
indices:monitor/settings/get

QUESTION: How do I go about fixing the in-place v.1.0.0 security schema now running on OS v.1.2.3?

[pawelw1]

@camAtGitHub Are you reporting issues with branding in security schema or reports export using non-admin users?

If the export is the issue, then what is the behaviour? Are you able to export reports?

[camAtGitHub]

The problem is regarding 'report export using non-admin users'.

If the export is the issue, then are you able to export reports?

No a regular user can not. An admin user can.

What is the behaviour?

A non-admin user would perform the following:

1. Using the OpenSearch dashboards: RUn a search then 'save' it

2. Then click Reporting > 'Generate CSV'.

3. Error is 'Insufficient permissions. Reach out to your OpenSearch Dashboards administrator'
   

4. The following logs are also generated on the server:

[2022-01-04T10:40:21,824][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,826][INFO ][o.o.r.i.ReportInstancesIndex] [charlie-act-dksn-elh1] reports:getAllReportInstances from:0, maxItems:10000, retCount:1, totalCount:1
[2022-01-04T10:40:21,828][INFO ][o.o.r.a.ReportDefinitionActions] [charlie-act-dksn-elh1] reports:ReportDefinition-getAll fromIndex:0 maxItems:10000
[2022-01-04T10:40:21,829][INFO ][o.o.r.i.ReportDefinitionsIndex] [charlie-act-dksn-elh1] reports:getAllReportDefinitions from:0, maxItems:10000, retCount:0, totalCount:0
[2022-01-04T10:40:25,508][INFO ][o.o.r.a.ReportInstanceActions] [charlie-act-dksn-elh1] reports:ReportInstance-info y0CmJH4BSPf3xfYmupx9
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No index-level perm match for User [name=camtest, backend_roles=[os_reports_instances_read_access], requestedTenant=__user__] Resolved [aliases=[radius], allIndices=[.ds-radius-2022-000001, radius-2020-04, radius-2020-02, radius-2021-02, .ds-radius-2021-10-000001, radius-2021-05, radius-2020-05, radius-2021-07, radius-2020-07, radius-2021-08, radius-2020-11, radius-2020-03, radius-2020-09, radius-2021-06, radius-2021-01, radius-2020-12, .ds-radius-2021-000001, radius-2020-08, .ds-radius-import-2021-000001, radius-2020-10, radius-2020-01, radius-2021-04, radius-2021-03, radius-2020-06], types=[*], originalRequested=[radius], remoteIndices=[]] [Action [indices:monitor/settings/get]] [RolesChecked [acme_ldap_elastic_netsupp, os_reports_instances_read_access, reports_full_access, kibana_user, reports_read_access, reports_instances_read_access]]
[2022-01-04T10:40:25,543][INFO ][o.o.s.p.PrivilegesEvaluator] [charlie-act-dksn-elh1] No permissions for [indices:monitor/settings/get]

I also have a secondary question. If I built the server using OSearch v1.0, with the security schema from v1.0 with 'opendistro' in it. ('branding' as you call it) (I'd call it ACL's to API's?) then when the paths to those APIs get fixed from '/opendistro/' to '/opensearch/' do I now have no access to these new paths because the security schema I'm running is not up to date with these new paths?
Should the upgrade process, of upgrading the OpenSearch software/version check for such things and update my security schema also?

Many Thanks, Cam.

[pawelw1]

@camAtGitHub Did you get your issue resolved? If not, would you mind opening a new thread in the OpenSearch Forum?