[Alerting Error]

[mourya-satyam-888]

Describe the bug
I have upgraded opensearch from 1.3.1 to 2.7.0 , I have migrated the anomaly detectors from older to newer version but I am facing issue with editing alert created with the anomaly detector
If I create new detector with the same access I am able to edit alert config but not in case of older to newer migrated detectors
Screenshots
Getting the below error while trying to update alerting config
Alerting error: OpenSearchStatusException[User has no available detectors]

[lezzago]

@amitgalitz @kaituo

[lezzago]

Are there any logs that you can share?
Additionally, is security enabled? And is backend role filtering enabled (context)?

[mourya-satyam-888]

I have shared above thats the only log, also with admin access I am able to do the changes but with the access we have used in contributor we are not able to alter alert on existing detector(that are migrated from older version) but if we create new detector with same access and other person having same access level is able to alter alert. that was fishy but I have granted more access to ignore the same not sure why it was not working for existing but for new it was working

[kaituo]

@mourya-satyam-888

In order to provide the best assistance with your recent upgrade, could you kindly provide us with a bit more information?

• Could you please confirm if fine-grained access control has been enabled on your cluster?
• Has any backend role filtering been activated?
• Were there any changes in security control methods during the upgrade process? For instance, did you switch from IAM based security to fine-grained access control?
• Apart from the aforementioned, were there any other significant changes that you made during or after the upgrade?
• During the migration of the anomaly detectors from the older version to the new one, did the user roles differ between the creator of the old detectors and the new ones? Specifically, were the backend roles different?
• For the alerting monitors associated with these detectors, were there any discrepancies in backend roles? Do the the detector and monitor have different backend roles?

Any additional information you can provide about your upgrade and migration process will help us to provide the most accurate support and advice.

[mourya-satyam-888]

@kaituo

In order to provide the best assistance with your recent upgrade, could you kindly provide us with a bit more information?

• Could you please confirm if fine-grained access control has been enabled on your cluster?
  Not sure of this
• Has any backend role filtering been activated?
  yes we have created new backend role in newer opensearch that was not present in older one
• Were there any changes in security control methods during the upgrade process? For instance, did you switch from IAM based security to fine-grained access control?
  We have enabled Azure AD SSO login
• Apart from the aforementioned, were there any other significant changes that you made during or after the upgrade?
  mainly backend role changes I have made
• During the migration of the anomaly detectors from the older version to the new one, did the user roles differ between the creator of the old detectors and the new ones? Specifically, were the backend roles different?
  yes it differs but in new one with same access person is able to create and edit alert but can't change to the older one with same access level, with admin it was editable
• For the alerting monitors associated with these detectors, were there any discrepancies in backend roles? Do the the detector and monitor have different backend roles?
  No detector and monitor we have added in the same backend role

Any additional information you can provide about your upgrade and migration process will help us to provide the most accurate support and advice.

[amitgalitz]

Hey @mourya-satyam-888

Can you check if you have this setting enabled: plugins.anomaly_detection.filter_by_backend_roles

Additionally could you possibly provide the GET response for the detector and alerting monitor that you are unable to edit. Can obviously be redacted, but just to understand what the user info looks like for both of this now. Similar commands were ran here: opensearch-project/anomaly-detection-dashboards-plugin#438 (comment) on what I believe is a similar issue.

For fixing this for the current detectors there are a few potentially fixes:

1. If you have this setting disabled: plugins.anomaly_detection.filter_by_backend_roles and don't necessarily want extra backend role protection on detectors this is fixed in 2.9 so the issue shouldn't occur there.

2. If the setting is set to true and correctly so:

   1. If you are a managed service user on AWS you can create a ticket there and we can help change the detector configurations to have a backend role matching the one your user has.
   2. If this is your own cluster, you should have super admin access and you can change the anomaly-detector config index to add the backend role
   3. You can delete the detectors and create new ones with the wanted user.

We also have an open issue on Anomaly-Detection related to giving admins the ability to change the backend roles for any detector, however we haven't started work on that yet. Feel free to add any comments to opensearch-project/anomaly-detection#858

[mourya-satyam-888]

@amitgalitz

I have given more permissions to the contributor role and now its working and in my case edit of detector was possible but not the alert associated with the detector.

we can close this possibly as given more access worked for me not sure of what permission were missing as only existing anomaly detector alert was not editable but new one was doable.