java.lang.IllegalStateException: Username cannot have '|' in the security plugin. #2756
Comments
github-actions
bot
added
the
untriaged
|
[Triage] Thank you for filing this issue @ran2806. @cwperks Can you add some more details around the reason for this character being forbidden in a username? Edit: Coming back to this to provide more context. This delimiter is being used to serialize/deserialize a user on the thread context right before a transport action is executed on a node. The security plugin performs authorization using the SecurityFilter which serializes the user into a pipe-delimited string that can be read in by other plugins to re-ify the user from the thread context. This method is responsible for setting user info into the thread context: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java#L197-L209 This is read in via common-utils here: https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/authuser/User.java#L161-L186 The pipe is also referenced here: https://github.com/opensearch-project/common-utils/blob/main/src/main/java/org/opensearch/commons/InjectSecurity.java#L161-L175 The pipe is also referenced here as well: https://github.com/petardz/common-utils/blob/main/src/main/java/org/opensearch/commons/InjectSecurity.java#L131-L155 Making this configurable would require a change across multiple repos. It may be possible, but its a non-trivial change. Is it possible to update the delimiter used in the external IdP or choose a specific attribute you would like for the username? |
|
@RyanL1997 Are the forbidden characters in usernames displayed anywhere on the documentation website? |
cwperks
added
triaged
|
Adding myself to the thread for visibility :D |
|
@cwperks currently the OIDC is configured and used by lot of services, So I can not change the subject pattern which is used as username. Also congnito does not allow to change the mapping of OIDC sub to some other value. I have a support ticket with AWS team for the same to use the different field for username. |
|
I've run into the same issue setting up Cognito as the OIDC provider for OpenSearch, where Cognito is backed by an Okta IDP. In this case Okta doesn't let you change the sub response, and Cognito won't let you use anything other than sub for the username attribute. |
|
I also faced this problem, makes it impossible to use Opensearch in AWS with Cognito and Federated IdP via OIDC to Okta / Auth0. |
peternied
added
the
good first issue
|
I think this can be fixed by changing the logic to 'escape' uses of the pipe character. We'd welcome a pull request to add this functionality. |
The escaping can be done when the username is serialized here |
|
@cwperks I am not sure if just escaping in Security plugin would be a complete solution. Wouldn't we need to unescape in plugins that parse this information? If so, I think we should solve this better - by either changing the way we add user information in thread context OR adapting a more better approach like Resource Sharing/Controls. |
|
@shikharj05 You would only need to decode it in FYI over the longer term, I would like to obviate common-utils completely: #5052 For username, its also possible to get a hold of the IdentityService through dependency injection and call |
Hi All,
We are using cognito with custom OIDC to authenticate users on Amazon Opensearch cluster. The OIDC provider is sending sub field in following pattern. sub = "idp-provider|[email protected]|tenant-account-id|user-id". I believe this sub field is used as a username in authentication. So when the user comes authenticated opensearch is throwing error as
java.lang.IllegalStateException: Username cannot have '|' in the security plugin.
Is there a way to use a different property for the username?
Thanks.
The text was updated successfully, but these errors were encountered: