[BUG] Alerting does not work when the last person to create/update has a role with parameter substitution in the DLS

[ryfestag]

Describe the bug
When a user associated with a role that used parameter substitution in their DLS creates an alert, the alert queries fail because the parameter substitution does not occur (resulting in an invalid query document). The same query, when executed directly, works as expected.

The difference in behavior for search rest api calls & alerting extraction query calls is due to the additional SecurityRestFilter interceptor workflow.

com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: Error while parsing {"terms":{"testfield":[{attr.internal.test}]}}
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2086) ~[guava-32.1.2-jre.jar:?]
        at com.google.common.cache.LocalCache.get(LocalCache.java:4012) ~[guava-32.1.2-jre.jar:?]
        at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4922) ~[guava-32.1.2-jre.jar:?]
        at org.opensearch.security.configuration.DlsQueryParser.containsTermLookupQuery(DlsQueryParser.java:161) ~[opensearch-security-2.11.0.0.jar:2.11.0.0]
        at org.opensearch.security.configuration.DlsQueryParser.containsTermLookupQuery(DlsQueryParser.java:143) ~[opensearch-security-2.11.0.0.jar:2.11.0.0]
        at org.opensearch.security.configuration.DlsFlsValveImpl.invoke(DlsFlsValveImpl.java:166) ~[opensearch-security-2.11.0.0.jar:2.11.0.0]
        at org.opensearch.security.filter.SecurityFilter.apply0(SecurityFilter.java:390) [opensearch-security-2.11.0.0.jar:2.11.0.0]
        at org.opensearch.security.filter.SecurityFilter.apply(SecurityFilter.java:165) [opensearch-security-2.11.0.0.jar:2.11.0.0]
        at org.opensearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:216) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.action.support.TransportAction.execute(TransportAction.java:188) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.action.support.TransportAction.execute(TransportAction.java:107) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.client.node.NodeClient.executeLocally(NodeClient.java:110) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.rest.action.RestCancellableNodeClient.doExecute(RestCancellableNodeClient.java:106) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.client.support.AbstractClient.execute(AbstractClient.java:476) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.rest.action.search.RestSearchAction.lambda$prepareRequest$2(RestSearchAction.java:135) [opensearch-2.11.0.jar:2.11.0]
        at org.opensearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:128) [opensearch-2.11.0.jar:2.11.0]

       at org.opensearch.security.filter.SecurityRestFilter.lambda$wrap$0(SecurityRestFilter.java:141) [opensearch-security-2.11.0.0.jar:2.11.0.0]

this makes a call to following method internally.
[+] https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java#L1025
which replaces attributes with actual values.
This call need to be included in the alerting workflow as well to fix this issue.

To Reproduce
Steps to reproduce the behavior:

1. Create a role with a DLS document that has parameter substitution (as documented here: https://opensearch.org/docs/latest/security/access-control/document-level-security/#parameter-substitution)
2. Create a user with the appropriate attribute defined
3. Insert a document that the user should be able to see
4. Query for that document. It should be visible.
5. Create an alert query that should return the same document. The alert query should error and show that the query was malformed where the parameter substitution should have occurred.

Expected behavior
Users that have roles with parameter substitution in their DLS should be able to create and use the alerting feature.

Plugins
Unknown. Standard AWS Open Search deployment

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS] Windows
• Version [e.g. 22] Identified in ES 7.10, but it is also an issue in latest OpenSearch available through AWS Open Search managed service.

Additional context
We created a support ticket in our AWS account for this issue, and were directed to open the issue here. More details can be provided if needed.

[engechas]

I am attempting to reproduce this issue on OpenSearch 2.11 but am not encountering an error.

Here is my DLS:

{"term": { "readable_by": "${user.name}"}}

Searching an index from the master user:

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 3,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

Searching from a user with the above DLS

{
  "took": 2,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 0,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  }
}

I created a monitor and a trigger against this index with the DLS user. I am able to run the extraction query

and also run the trigger condition:

Could you try this again on 2.11 and see if the error still occurs?

[engechas]

Closing as I am unable to reproduce the issue. Please reopen the issue if the problem is still occurring