Skip to content

fix: add missing user_roles equired for opensearch saas#1022

Merged
edwinjosechittilappilly merged 2 commits into
mainfrom
user_roles
Feb 25, 2026
Merged

fix: add missing user_roles equired for opensearch saas#1022
edwinjosechittilappilly merged 2 commits into
mainfrom
user_roles

Conversation

@zzzming

@zzzming zzzming commented Feb 24, 2026

Copy link
Copy Markdown
Collaborator

add missing user_roles equired for opensearch saas deployment

@github-actions github-actions Bot added the backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) label Feb 24, 2026
@zzzming zzzming changed the title add missing user_roles equired for opensearch saas fix: add missing user_roles equired for opensearch saas Feb 24, 2026
@github-actions github-actions Bot added the bug 🔴 Something isn't working. label Feb 24, 2026
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Feb 25, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request attempts to add the "all_access" role to the user_roles claim in JWT tokens, supposedly to support OpenSearch SaaS deployments. However, the change has critical security and functional issues.

Changes:

  • Added "all_access" to the user_roles array in JWT token payload for all authenticated users

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/session_manager.py
"email_verified": True,
"roles": ["openrag_user"], # Backend role for OpenSearch
"user_roles": ["openrag_user"], # compatible with OpenSearch's roles_key
"user_roles": ["openrag_user", "all_access"], # compatible with OpenSearch's roles_key

Copilot AI Feb 25, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding "all_access" role grants unrestricted administrative privileges to all authenticated users. In OpenSearch, the "all_access" role is a built-in superuser role that bypasses all security restrictions. This creates a critical security vulnerability as it:

  1. Grants full cluster and index administration rights to every user
  2. Bypasses the document-level security (DLS) filters defined in the openrag_user_role
  3. Allows users to view, modify, or delete any documents regardless of ownership
  4. Permits cluster configuration changes and security settings modifications

According to the security configuration in securityconfig/roles_mapping.yml, the all_access role is explicitly reserved for the "admin" user only. The comment mentions this is "required for opensearch saas" but there's no evidence in the codebase of OpenSearch SaaS-specific requirements that would necessitate granting all users admin privileges.

If elevated permissions are truly needed for OpenSearch SaaS deployments, consider creating a new dedicated role with the minimum required permissions rather than using the all_access superuser role. Additionally, the roles_key in securityconfig/config.yml is set to "roles", not "user_roles", so this change may not even be effective.

Suggested change
"user_roles": ["openrag_user", "all_access"], # compatible with OpenSearch's roles_key
"user_roles": ["openrag_user"], # Keep aligned with OpenSearch roles_key configuration

Copilot uses AI. Check for mistakes.
Comment thread src/session_manager.py
"email_verified": True,
"roles": ["openrag_user"], # Backend role for OpenSearch
"user_roles": ["openrag_user"], # compatible with OpenSearch's roles_key
"user_roles": ["openrag_user", "all_access"], # compatible with OpenSearch's roles_key

Copilot AI Feb 25, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment states this is "compatible with OpenSearch's roles_key" but the actual roles_key configured in securityconfig/config.yml line 18 is set to "roles", not "user_roles". This means OpenSearch will read backend roles from the "roles" claim in the JWT token, not from "user_roles".

Adding "all_access" to user_roles will have no effect unless the roles_key configuration is changed to point to "user_roles" instead of "roles". The existing "roles" claim on line 205 is what OpenSearch actually uses for role mapping.

Copilot uses AI. Check for mistakes.
@edwinjosechittilappilly edwinjosechittilappilly merged commit 686dd9f into main Feb 25, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backend 🔷 Issues related to backend services (OpenSearch, Langflow, APIs) bug 🔴 Something isn't working.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants