Skip to content

fix: upgrade OpenSearch to 3.6.0#1972

Merged
lucaseduoli merged 5 commits into
mainfrom
fix/upgrade_opensearch
Jun 26, 2026
Merged

fix: upgrade OpenSearch to 3.6.0#1972
lucaseduoli merged 5 commits into
mainfrom
fix/upgrade_opensearch

Conversation

@lucaseduoli

@lucaseduoli lucaseduoli commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

This pull request updates the OpenSearch stack to version 3.6.0 across the Dockerfile, Docker Compose, and Helm chart configurations. The main changes ensure that all OpenSearch-related components and plugins are aligned to the latest compatible version, improving compatibility, security, and feature support.

OpenSearch and Plugin Version Upgrades:

  • Upgraded the base OpenSearch image in the Dockerfile from 3.2.0 to 3.6.0.
  • Updated all plugin download URLs and installation commands in the Dockerfile to use the 3.6.0.0 versions for opensearch-jvector-plugin, opensearch-neural-search, and opensearch-prometheus-exporter.
  • Changed the OPENSEARCH_VERSION build argument in the Dockerfile to 3.6.0.

Dashboard Version Alignment:

  • Updated the OpenSearch Dashboards image version to 3.6.0 in both docker-compose.yml and the Helm chart values file (values.yaml). [1] [2]

Closes #1969

Summary by CodeRabbit

  • Chores / Maintenance
    • Upgraded OpenSearch runtime to 3.6.0 and updated bundled search plugins/artifacts to match.
    • Upgraded OpenSearch Dashboards to 3.6.0 for Docker Compose and Kubernetes (Helm).
    • Updated embedded Netty to 4.2.15 and improved the Netty patching workflow.
  • Security
    • Adjusted index permission action sets for relevant role patterns (admin mapping/existence/get vs read) by reordering/splitting blocks.
  • Tests
    • Updated a unit test to set OpenSearch credentials via environment variables.

@lucaseduoli lucaseduoli requested a review from mpawlow June 25, 2026 20:31
@lucaseduoli lucaseduoli self-assigned this Jun 25, 2026
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2c178785-ffab-4821-9ee2-2492cc659c73

📥 Commits

Reviewing files that changed from the base of the PR and between 7a9e917 and eb9a316.

📒 Files selected for processing (2)
  • Dockerfile
  • docker-compose.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • docker-compose.yml
  • Dockerfile

Walkthrough

OpenSearch, OpenSearch Dashboards, Netty patching, and role permission ordering are updated across build and security configuration.

Changes

OpenSearch 3.6 upgrade and compatibility updates

Layer / File(s) Summary
OpenSearch image and plugins
Dockerfile, docker-compose.yml, kubernetes/helm/openrag/values.yaml
The OpenSearch base image, plugin artifact versions, runtime version argument, and Dashboards image tags are updated to 3.6.0.
Netty patching flow
patch-netty.sh
The Netty patch script now scans for netty-*.jar files, replaces whitelisted core artifacts with 4.2.15.Final jars, and exits with an error only when no whitelisted jars are matched.
Role action ordering
cloud_securityconfig/roles.yml, securityconfig/roles.yml
The allowed_actions ordering is adjusted and split in the openrag_user_role index permissions for documents, openrag_dls_principals, and api_keys patterns.
ACL test credential setup
tests/unit/test_group_acl.py
The IBM basic admin client test sets OpenSearch admin credentials through environment variables instead of mutating settings attributes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

  • zzzming
  • rodageve
  • phact
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Clear, specific title matches the main change: upgrading OpenSearch to 3.6.0.
Linked Issues check ✅ Passed The PR updates OpenSearch and related images/configs from 3.2.0 to 3.6.0, matching the direct upgrade request.
Out of Scope Changes check ✅ Passed No clearly unrelated changes are evident; the Netty, security config, and test edits appear tied to the OpenSearch upgrade.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/upgrade_opensearch

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 25, 2026

@mpawlow mpawlow left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review 1

  • ✅ Approved / LGTM 🚀
  • See PR comments (1a) and (1d) for Minor nits to optionally address

Functional Review 1

  • ✅ Successfully verified sanity ingestion, searching, chatting with newly build OpenSearch image
    • Note: I re-used an existing OpenSearch index (no factory reset)

Comment thread Dockerfile Outdated
Comment thread Dockerfile Outdated
@github-actions github-actions Bot added the lgtm label Jun 25, 2026
@mpawlow

mpawlow commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator

@lucaseduoli

  • ⚠️ I did see these errors in the OpenSearch logs (but they might be pre-existing or related to the fact I didn't do a factory reset
os  | org.opensearch.OpenSearchSecurityException: Unsupported request type for filter level DLS: indices:admin/mappings/get; org.opensearch.action.admin.indices.mapping.get.GetMappingsRequest
os  |   at org.opensearch.security.configuration.DlsFilterLevelActionHandler.handle(DlsFilterLevelActionHandler.java:208)
os  |   at org.opensearch.security.configuration.DlsFilterLevelActionHandler.handle(DlsFilterLevelActionHandler.java:127)
os  |   at org.opensearch.security.configuration.DlsFlsValveImpl.invoke(DlsFlsValveImpl.java:400)
os  |   at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:451)
os  |   at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:187)
os  |   at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:218)
os  |   at org.opensearch.performanceanalyzer.action.PerformanceAnalyzerActionFilter.apply(PerformanceAnalyzerActionFilter.java:81)
os  |   at org.opensearch.action.support.ActionFilter.apply(ActionFilter.java:67)
os  |   at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:218)
os  |   at org.opensearch.action.support.TransportAction.execute(TransportAction.java:190)
os  |   at org.opensearch.action.support.TransportAction.execute(TransportAction.java:109)
os  |   at org.opensearch.transport.client.node.NodeClient.executeLocally(NodeClient.java:113)
os  |   at org.opensearch.transport.client.node.NodeClient.doExecute(NodeClient.java:100)
os  |   at org.opensearch.transport.client.support.AbstractClient.execute(AbstractClient.java:501)
os  |   at org.opensearch.transport.client.support.AbstractClient$IndicesAdmin.execute(AbstractClient.java:1610)
os  |   at org.opensearch.transport.client.support.AbstractClient$IndicesAdmin.getMappings(AbstractClient.java:1780)
os  |   at org.opensearch.rest.action.admin.indices.RestGetMappingAction.lambda$prepareRequest$0(RestGetMappingAction.java:117)
os  |   at org.opensearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:132)
os  |   at org.opensearch.security.filter.SecurityRestFilter$AuthczRestHandler.handleRequest(SecurityRestFilter.java:230)
os  |   at org.opensearch.rest.RestController.dispatchRequest(RestController.java:391)
os  |   at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:481)
os  |   at org.opensearch.rest.RestController.dispatchRequest(RestController.java:297)
os  |   at org.opensearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:69)
os  |   at org.opensearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:374)
os  |   at org.opensearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:482)
os  |   at org.opensearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:357)
os  |   at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:60)
os  |   at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:44)
os  |   at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at org.opensearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:72)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
os  |   at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.handler.codec.http.HttpContentDecoder.decode(HttpContentDecoder.java:170)
os  |   at io.netty.handler.codec.http.HttpContentDecoder.decode(HttpContentDecoder.java:48)
os  |   at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:91)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:102)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:361)
os  |   at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:325)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:288)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:355)
os  |   at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:107)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1526)
os  |   at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1384)
os  |   at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1435)
os  |   at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545)
os  |   at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
os  |   at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
os  |   at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
os  |   at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1429)
os  |   at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:918)
os  |   at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:176)
os  |   at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.handle(AbstractNioChannel.java:445)
os  |   at io.netty.channel.nio.NioIoHandler$DefaultNioRegistration.handle(NioIoHandler.java:388)
os  |   at io.netty.channel.nio.NioIoHandler.processSelectedKey(NioIoHandler.java:596)
os  |   at io.netty.channel.nio.NioIoHandler.processSelectedKeysPlain(NioIoHandler.java:541)
os  |   at io.netty.channel.nio.NioIoHandler.processSelectedKeys(NioIoHandler.java:514)
os  |   at io.netty.channel.nio.NioIoHandler.run(NioIoHandler.java:484)
os  |   at io.netty.channel.SingleThreadIoEventLoop.runIo(SingleThreadIoEventLoop.java:225)
os  |   at io.netty.channel.SingleThreadIoEventLoop.run(SingleThreadIoEventLoop.java:196)
os  |   at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:1195)
os  |   at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
os  |   at java.base/java.lang.Thread.run(Thread.java:1474)
os  | [2026-06-25T22:43:47,652][WARN ][o.o.s.a.BackendRegistry  ] [26a5ce77ed17] Authentication finally failed for null from 127.0.0.1:39536

@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 26, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
Dockerfile (1)

12-26: 🩺 Stability & Availability | 🟡 Minor

Add -f to the curl command that downloads the neural-search plugin to fail fast on HTTP errors.

When curl ... > plugin.zip lacks -f, a 4xx/5xx response still writes the error body to the file; the subsequent opensearch-plugin install then fails with a cryptic message. Use -fL to surface the HTTP error immediately during the build.

Replace line 17 with:

curl -fL -s https://github.com/IBM/neural-search-jvector/releases/download/3.6.0.0/opensearch-neural-search-3.6.0.0.zip \
  > /tmp/opensearch-neural-search/plugin.zip
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` around lines 12 - 26, Add fail-fast handling to the neural-search
plugin download in the Dockerfile by updating the curl command used in the
opensearch-neural-search preparation step. The current download writes HTTP
error bodies into plugin.zip, so change the curl invocation to use
error-on-HTTP-failure behavior for the neural-search artifact while keeping the
existing pipeline and opensearch-plugin install steps intact. Locate the fix in
the curl command that populates /tmp/opensearch-neural-search/plugin.zip and
ensure it surfaces 4xx/5xx failures immediately during build.
🧹 Nitpick comments (1)
Dockerfile (1)

16-18: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add -f to the neural-search download so HTTP errors fail fast.

Unlike the jvector download (Line 12), which pipes into tar and fails on bad input, this curl -L -s > plugin.zip succeeds on a 404 and writes the HTML error page into plugin.zip. The failure then surfaces only at opensearch-plugin install (Line 22) with a confusing "invalid zip" error.

🛡️ Proposed fix
 RUN mkdir -p /tmp/opensearch-neural-search && \
-    curl -L -s https://github.com/IBM/neural-search-jvector/releases/download/3.6.0.0/opensearch-neural-search-3.6.0.0.zip \
+    curl -fL -s https://github.com/IBM/neural-search-jvector/releases/download/3.6.0.0/opensearch-neural-search-3.6.0.0.zip \
       > /tmp/opensearch-neural-search/plugin.zip
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cloud_securityconfig/roles.yml`:
- Around line 18-20: The shared ACL test is picking the first matching
permission entry from roles.yml, so splitting the DLS permissions into
admin-only and read/DLS entries can break the test contract. Keep the DLS/read
permission block first in the roles configuration, or update the selector in the
shared ACL test to explicitly target the DLS/read entry instead of the first
match; use the existing permission entries in roles.yml and the ACL test
selector logic to locate the change.

In `@patch-netty.sh`:
- Around line 99-105: The fail-safe in the patch-netty.sh script is using
replaced_count, which only tracks actual replacements, so it can incorrectly
fail builds when whitelisted Netty jars are already at NETTY_VERSION. Add a
separate matched_count that increments whenever a whitelisted artifact is found,
including the already-up-to-date continue path, and change the final check to
fail only when matched_count is zero. Keep the existing replaced_count output
for reporting, and update the logic around the jar-processing loop and the final
fail-safe block accordingly.

In `@securityconfig/roles.yml`:
- Around line 18-20: The DLS/read permissions are now ordered after the
admin-only blocks, which breaks the existing contract in tests that pick the
first permissions entry for documents and openrag principals. Update the roles
definition so the DLS/read block for the documents and knowledge_filters
permissions appears before the corresponding admin-only block, or adjust the
test selectors in test_group_acl.py to find entries by allowed_actions and dls
instead of index. Keep the ordering consistent for the affected permission
groups so the first match remains the read/DLS rule.

---

Outside diff comments:
In `@Dockerfile`:
- Around line 12-26: Add fail-fast handling to the neural-search plugin download
in the Dockerfile by updating the curl command used in the
opensearch-neural-search preparation step. The current download writes HTTP
error bodies into plugin.zip, so change the curl invocation to use
error-on-HTTP-failure behavior for the neural-search artifact while keeping the
existing pipeline and opensearch-plugin install steps intact. Locate the fix in
the curl command that populates /tmp/opensearch-neural-search/plugin.zip and
ensure it surfaces 4xx/5xx failures immediately during build.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4662e1f0-7bf4-4813-9dbe-94b73180fb40

📥 Commits

Reviewing files that changed from the base of the PR and between 0342f24 and 325b5ef.

📒 Files selected for processing (4)
  • Dockerfile
  • cloud_securityconfig/roles.yml
  • patch-netty.sh
  • securityconfig/roles.yml

Comment thread cloud_securityconfig/roles.yml
Comment thread patch-netty.sh
Comment thread securityconfig/roles.yml
@github-actions github-actions Bot added tests bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 26, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
securityconfig/roles.yml (1)

15-15: 🎯 Functional Correctness | 🟠 Major

Avoid keeping the broad read action inside DLS blocks.

In OpenSearch 3.6.0, the read action group includes metadata operations (indices:admin/mappings/fields/get*, indices:admin/resolve/index) in addition to data reads. When granted on an index pattern with a dls filter, these metadata requests are subject to DLS filtering, which can break admin functionality (e.g., mapping inspection) or expose unexpected empty results. You must split read on DLS patterns to include only data-specific actions (e.g., indices:data/read/search) and grant the metadata actions exclusively on corresponding non-DLS patterns.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@securityconfig/roles.yml` at line 15, The DLS role definition still uses the
broad read action group on a pattern with a dls filter, which pulls in metadata
operations that should not be filtered. Update the affected role entry in
roles.yml to split read into data-only actions for the DLS-scoped index pattern,
and grant the metadata-related actions separately on a matching non-DLS pattern.
Use the role stanza containing the read action to locate and adjust the
permission set.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@securityconfig/roles.yml`:
- Line 15: The DLS role definition still uses the broad read action group on a
pattern with a dls filter, which pulls in metadata operations that should not be
filtered. Update the affected role entry in roles.yml to split read into
data-only actions for the DLS-scoped index pattern, and grant the
metadata-related actions separately on a matching non-DLS pattern. Use the role
stanza containing the read action to locate and adjust the permission set.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bc14b8b6-7955-4bf0-8d76-9c0d4f1a32d2

📥 Commits

Reviewing files that changed from the base of the PR and between 325b5ef and 7a9e917.

📒 Files selected for processing (4)
  • cloud_securityconfig/roles.yml
  • patch-netty.sh
  • securityconfig/roles.yml
  • tests/unit/test_group_acl.py
🚧 Files skipped from review as they are similar to previous changes (1)
  • cloud_securityconfig/roles.yml

@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 26, 2026
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Jun 26, 2026
@lucaseduoli lucaseduoli merged commit 74fe6be into main Jun 26, 2026
17 checks passed
@github-actions github-actions Bot deleted the fix/upgrade_opensearch branch June 26, 2026 22:21
ricofurtado pushed a commit that referenced this pull request Jun 30, 2026
* upgrade OpenSearch to 3.6.0

* fixed PR review comments

* fix nitpicks
ricofurtado added a commit that referenced this pull request Jul 1, 2026
* feat:  add connectors permissions for Saas (#1782)

* feat: add SaaS workspace connector permissions with RBAC gates
Introduce admin Connectors Permission settings (cloud-only) backed by
workspace_config, enforce availability on connector APIs and OAuth init,
and sync the new connectors:manage:access permission at startup without
an Alembic migration. OSS/dev OSS brand bypasses policy; add dev role
toggle and brand-aware proxy headers for local RBAC testing.

* style: ruff autofix (auto)

* address CodeRabbit comments and fix backend lint unused imports

* fix backend lint

* feat: workspace connector permissions with aligned SaaS policy guards
Add admin Connectors Permission (workspace_config-backed) with RBAC
connectors:manage:access, enforce policy on connector APIs and OAuth init,
and keep the permission list independent of the live connectors tab.
Consolidate frontend connector-access hooks into useGetConnectorsQuery and
settings tab helpers into brand.ts. Fix Connectors Permission tab redirects
(RSC dev-brand default, wait for permissionsResolved). Let explicitly
enabled connectors override deployment visibility filters; add
OPENRAG_DEV_CONNECTOR_POLICY for local OSS dev backend enforcement Snapshot and restore all cached connector query keys in connect/disconnect
mutations so optimistic updates stay correct when policy context changes
mid-mutation (brand toggle, permissions resolving).

* style: ruff autofix (auto)

* addressed coderabbit comments

* remove mentions of dev only envs in the env.example

---------

Co-authored-by: Olfa Maslah <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Edwin Jose <[email protected]>

* fix: google to support WEBHOOK_BASE_URL (#1849)

* Update connector.py

* update env in settings

* fix webhook url of sharepoint

* fix: make connector webhooks work end-to-end (Drive routing, Graph subscriptions, change discovery) (#1867)

* fix: alias legacy /connectors/google/webhook to google_drive and reload connections store on webhook channel lookup miss

* Fix Sharepoint and Google Drive

* fix: propagate deleted items from SharePoint/OneDrive webhook delta query

Main's delete-event coverage (#1852) expects handle_webhook to return
deleted file ids so sync_specific_files can run its deleted-at-source
cleanup (get_file_content -> 404 -> delete indexed chunks). The delta
implementation skipped deleted items; now deleted files propagate and
deleted folders stay excluded.

* use logging _config

* Update test_webhook_type_alias.py

* fix: forward end-user JWT to MCP/API callers via gateway-placed X-OpenRAG-API-JWT header (#1874)

* use fallback header

* Notes on new header

* raises http exception for missing jwt

* feat: Add shared flag for COS ingestion to allow documents to be indexed without an owner

* style: ruff autofix (auto)

* Update src/api/connectors.py

Improving error return

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* feat: Implement shared flag for document replacement in OpenSearch queries

* style: ruff autofix (auto)

* refactor: Remove shared flag from document ingestion options in SDK

* feat: Update resolve_shared_owner_fields to return anonymous user details for shared documents

* style: ruff autofix (auto)

* feat: Add anonymous delete permission for shared documents and update related functionality

* feat: Update delete permission to include anonymous access for shared documents

* style: ruff autofix (auto)

* style: apply ruff autofix

* feat: Restrict shared flag usage to ibm_cos connector in sync_connector_files method

* fix: clarify behavior of documents with owner=null in DLS tests

* fix button types (#1875)

* refactor: no derived state (#1886)

* no derivied state

* coderabbit comments

* OPENSEARCH_NODE_COUNT_CHECK_ENABLED as deafult flag (#1975)

What changed:

  - Renamed the env var read by the backend to OPENSEARCH_NODE_COUNT_CHECK_ENABLED in src/config/settings.py.
  - Updated Docker Compose to pass OPENSEARCH_NODE_COUNT_CHECK_ENABLED in docker-compose.yml.
  - Added the canonical flag to the example env file in .env.example.
  - Documented the flag in the OpenSearch config table in docs/docs/reference/configuration.mdx.
  - Updated the existing readiness test wording in tests/unit/test_opensearch_wait_node_count.py.
  - Added a regression test that loads config.settings with OPENSEARCH_NODE_COUNT_CHECK_ENABLED=false and verifies the canonical flag is what the code reads in tests/unit/config/
    test_opensearch_node_count_check_enabled.py.

* chore: Segment improvements (#1971)

* chore: Segment improvements (#1963)

* Update static properties

* and knowledge/setting actions

* avoid duplicate events

* coderabbit comments

* fix: onboarding timeout cleanup issue (#1977)

* fix the cleanup timeout issue for the embedding step

* final step fix

* feat: add shared parameter to connector_sync function

* feat: add shared parameter to TaskProcessor and update connector_sync for permission checks

* fix: improve response handling in delete_document_endpoint for better status reporting

* fix: clear completeTimeoutRef after completion to prevent memory leaks

* fix: update OPENSEARCH_NODE_COUNT_CHECK_ENABLED to use fallback from OPENSEARCH_NODE_COUNT_CHECK

* fix: onboarding timeout cleanup issue (#1977)

* fix the cleanup timeout issue for the embedding step

* final step fix

* fix: support big csv files on langflow-less ingestion (#1968)

* fix max tokens when splitting for langflow-less ingestion

* fix coderabbit picks

* style: ruff autofix (auto)

* added non lf ingestion test

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: upgrade OpenSearch to 3.6.0 (#1972)

* upgrade OpenSearch to 3.6.0

* fixed PR review comments

* fix nitpicks

* Added ibm watsonx ai and langchain ibm to Langflow image (#1989)

* OPENSEARCH_NODE_COUNT_CHECK_ENABLED as deafult flag (#1975)

What changed:

  - Renamed the env var read by the backend to OPENSEARCH_NODE_COUNT_CHECK_ENABLED in src/config/settings.py.
  - Updated Docker Compose to pass OPENSEARCH_NODE_COUNT_CHECK_ENABLED in docker-compose.yml.
  - Added the canonical flag to the example env file in .env.example.
  - Documented the flag in the OpenSearch config table in docs/docs/reference/configuration.mdx.
  - Updated the existing readiness test wording in tests/unit/test_opensearch_wait_node_count.py.
  - Added a regression test that loads config.settings with OPENSEARCH_NODE_COUNT_CHECK_ENABLED=false and verifies the canonical flag is what the code reads in tests/unit/config/
    test_opensearch_node_count_check_enabled.py.

* fix: onboarding timeout cleanup issue (#1977)

* fix the cleanup timeout issue for the embedding step

* final step fix

* fix: universal file names (#1982)

* ascii support for ingest files

* update the flow json

* style: ruff autofix (auto)

* Update langflow_headers.py

* Update test_langflow_ingest_callback.py

* Update test-ci.yml

* Update test_onboarding_sample_docs.py

* style: ruff autofix (auto)

* Update test_ascii_safe_header_value.py

* Update langflow_file_service.py

* re trigger commit

* fix: purge config_manager singleton in non-langflow ingestion test

The _purge_modules() list was missing "config.config_manager", so the
ConfigManager singleton retained its cached _config from a previous test.
Subsequent calls to get_openrag_config() returned the old config where
disable_ingest_with_langflow=False, causing the router to use the Langflow
path even though DISABLE_INGEST_WITH_LANGFLOW=true was set in the environment.
Adding config.config_manager to the purge list forces a fresh load on the
next import, picking up the correct env-var values.

* fix: use hash_id to derive expected document_id in CSV ingestion test

DocumentFileProcessor ignores Docling's binary_hash field and computes
document_id = hash_id(file_path) from the actual file content. The test
was asserting against the literal mock value "sha-csv-integration-123"
which never appears in the indexed documents, giving 0 hits and a false
failure. Now the test derives expected_document_id via hash_id(csv_path)
to match what the production code actually indexes.

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

---------

Co-authored-by: Wallgau <[email protected]>
Co-authored-by: Olfa Maslah <[email protected]>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: Edwin Jose <[email protected]>
Co-authored-by: Edwin Jose <[email protected]>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-authored-by: Mike Fortman <[email protected]>
Co-authored-by: Sebastián Estévez <[email protected]>
Co-authored-by: Lucas Oliveira <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug 🔴 Something isn't working. docker lgtm tests

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Upgrade OpenSearch from 3.2.0 to 3.6.0

2 participants