[BUG] opensearch login not working with more than 15 roles assign to user

[Rajat0312]

Hey,
Currently i am using OpenSearch 1.3.X version and in this version i am facing Too large Cookie issue opensearch-project/security#374 this issue is solved in 2.7 version but i need some workaround for 1.3.X version to solve this issue. When i am using user with around 10-12 roles it works but when i increate roles up to 15 then not able to login to OpenSearch-dashboard.
and can anyone tell me about how this works like where JWT token is created either in OpenSearch or in OpenSearch-dashboard and from where cookies sets.

[dblock]

I can't figure out what the fix for this actually was .. moving this into the security repo, hopefully someone can track it down?

[dblock]

I can't figure out what the fix for this actually was .. moving this into the security repo, hopefully someone can track it down?

[davidlago]

It seems like we did not backport #1352 to the 1.x line, as technically it was not classified as a bug fix but an enhancement. Backporting that PR should take care of it.

@dblock can you please move this to the security-dashboards-plugin repo?

[davidlago]

@dblock never mind, I had permissions to do the transfer myself.

[cwperks]

@davidlago There is one known regression in cookie splitting that's currently being fixed: #1522

This should also be backported to 1.3 when its fixed.

[stephen-crawford]

[Triage] Hi @Rajat0312, thank you for filing this issue. The best guess is that this issue is a result of the cookie size limit. In general, it is advisable to condense roles when possible.

By backporting the cookie splitting change after backporting #1522, this should be resolved.

[davidlago]

@jochen-kressin please keep this one on your radar, as soon as #1552 is fixed and backported to 1.x, please make sure this one makes it to 1.x too. Thanks!

[jochen-kressin]

@davidlago Just to make sure that I understand this correctly: in addition to #1552, we also need to backport the original cookie splitting PR?

[davidlago]

Yes, exactly. But as that PR has the regression we're fixing in #1552, let's make sure it does not get backported before that fix is in.

[leanneeliatra]

Can you assign this to me please @davidlago .

Testing from my end currently in progress on this PR #1662

[leanneeliatra]

Hi @peternied, @scrawfor99, @cwperks can I ask about the PR in relation to this please? #1662

I've tested the code and would like a pair of eyes on the changes so far and to asses what is outstanding with me please. I have changed the ticket to ready for review but on the particular branch, I cannot select anyone as reviewers, it's a backport to be merged back into 1.x.

So I would like some advice on

1. Are we happy with the fix, that it works and that the selenium tests were updated for this issue.
2. What if anything is outstanding
3. How can I get reviews

Thanks very much, it would be great to get your experienced comments on the questions above please.

[leanneeliatra]

This ticket is in the final stages.
Update of progress:

• I tested the fix in the ticket, namely that the cookie splits after it gets to a certain size. This was tested with SAML authentication.
• The PR was reviewed by @scrawfor99 and @scrawfor99.
• However, the CI integration tests are not passing currently, therefore the integration tests need to be ran locally and then, the ticket should be able to be closed.
  PR: Backport cookie splitter #1662
  Bug: [BUG] opensearch login not working with more than 15 roles assign to user #1567

[cwperks]

Closing this issue. The cookie splitting logic will be released in the next patch release for 1.3: 1.3.15.

You can find the release schedule here.