Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] AWSV4SignerAuth does not accept "aos" #534

Closed
IanHoang opened this issue Oct 12, 2023 · 4 comments
Closed

[BUG] AWSV4SignerAuth does not accept "aos" #534

IanHoang opened this issue Oct 12, 2023 · 4 comments
Labels
bug Something isn't working untriaged Need triage

Comments

@IanHoang
Copy link

IanHoang commented Oct 12, 2023
edited
Loading

What is the bug?

When users are using OSB to test a SigV4 authenticated opensearch cluster, they set the environment variable to aos or aoss. However, AWSSigV4Auth class takes es instead of aos. This could be misleading to new OpenSearch users.

Are there any plans to support aos on top of es and aoss?

How can one reproduce the bug?

  1. Create an AOS domain that uses an authenticated IAM user for security
  2. Set OSB environment variables as described here
OSB_AWS_ACCESS_KEY_ID=<IAM USER AWS ACCESS KEY ID>
OSB_AWS_SECRET_ACCESS_KEY=<IAM USER AWS SECRET ACCESS KEY>
OSB_REGION=<YOUR REGION>
OSB_SERVICE=aos
  1. Run a test like the following command:
opensearch-benchmark execute-test \
--target-hosts=<CLUSTER ENDPOINT> \
--pipeline=benchmark-only \
--workload=geonames \
--client-options=timeout:120,amazon_aws_log_in:environment \

Error encountered:

"Service for aws log in should be one of 'es' or 'aoss'"

What is the expected behavior?

opensearch-py should accept aos as well on top of es and aoss.

What is your host/environment?

Occurs on MacOS, Linux and with Amazon Managed-Service Clusters

Do you have any screenshots?

N/A

Do you have any additional context?

N/A
@IanHoang IanHoang added bug Something isn't working untriaged Need triage labels Oct 12, 2023
@IanHoang IanHoang changed the title [BUG] Allow AWSV4SignerAuth to accept "aos" on top of "es" and "aoss" [BUG] AWSV4SignerAuth does not accept "aos" Oct 12, 2023
@dblock
Copy link
Member

dblock commented Oct 12, 2023

This feels like an OSB problem because the AWS service is definitely es and aoss, not aos, no?

@IanHoang
Copy link
Author

IanHoang commented Oct 12, 2023
edited
Loading

@dblock AWS service uses es for AWS CLI still but OSB only has a check added by a contributor a few months back:

        if aws_log_in_dict["service"] not in ['es', 'aoss']:
            self.logger.error("Service for aws log in should be one of 'es' or 'aoss'")
            raise exceptions.SystemSetupError(
                "Cannot specify service as '{}'. Accepted values are 'es' or 'aoss'.".format(
                    aws_log_in_dict["service"])
            )

Since OSB relies on opensearch-py to communicate with target clusters, I believe the contributor added this check because opensearch-py might not support aos at the moment and also has the following line:

opensearch-py/opensearchpy/helpers/signer.py

Line 51 in 84ac172

def __init__(self, credentials, region, service="es"): # type: ignore

@dblock
Copy link
Member

dblock commented Oct 12, 2023

@IanHoang That default is correct, the service code is "es". Service codes are used to scope service credentials. Do you not agree?

@IanHoang
Copy link
Author

@dblock You're right, thanks for calling this out! opensearch-py uses botocore, which still uses es. Closing this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged Need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dblock @IanHoang