opensearch-project · shikharj05 · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025 · Feb 18, 2025
@@ -20,7 +20,7 @@ admin:
 anomalyadmin:
   hash: "$2y$12$TRwAAJgnNo67w3rVUz4FIeLx9Dy/llB79zf9I15CKJ9vkM4ZzAd3."
   reserved: false
-  opendistro_security_roles:
+  opensearch_security_roles:
   - "anomaly_full_access"
   description: "Demo anomaly admin user, using internal role"
 

@@ -43,6 +43,8 @@
 import static org.opensearch.security.api.PatchPayloadHelper.addOp;
 import static org.opensearch.security.api.PatchPayloadHelper.patch;
 import static org.opensearch.security.api.PatchPayloadHelper.replaceOp;
+import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.OPENDISTRO_SECURITY_ROLES;
+import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.OPENSEARCH_SECURITY_ROLES;
 import static org.opensearch.security.dlic.rest.api.InternalUsersApiAction.RESTRICTED_FROM_USERNAME;
 
 public class InternalUsersRestApiIntegrationTest extends AbstractConfigEntityApiIntegrationTest {
@@ -149,13 +151,17 @@ static ToXContentObject internalUser(
                 builder.field("attributes", attributes);
             }
             if (securityRoles != null) {
-                builder.field("opendistro_security_roles");
+                builder.field(getRoleField());
                 securityRoles.toXContent(builder, params);
             }
             return builder.endObject();
         };
     }
 
+    private static String getRoleField() {
+        return randomFrom(List.of(OPENDISTRO_SECURITY_ROLES, OPENSEARCH_SECURITY_ROLES));
+    }
+
     static ToXContentObject defaultServiceUser() {
         return serviceUser(null, null, null); // default user is disabled
     }

@@ -18,6 +18,8 @@
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 
 import org.opensearch.cluster.service.ClusterService;
 import org.opensearch.common.inject.Inject;
@@ -51,8 +53,17 @@
 
 public class InternalUsersApiAction extends AbstractApiAction {
 
+    private static final Logger log = LogManager.getLogger(InternalUsersApiAction.class);
     private final PasswordHasher passwordHasher;
 
+    /**
+     * @deprecated Use opensearch_security_roles instead. This field will be removed in a future release.
+     */
+    @Deprecated
+    public static final String OPENDISTRO_SECURITY_ROLES = "opendistro_security_roles";
+
+    public static final String OPENSEARCH_SECURITY_ROLES = "opensearch_security_roles";
+
     @Override
     protected void consumeParameters(final RestRequest request) {
         request.param("name");
@@ -183,8 +194,7 @@ ValidationResult<SecurityConfiguration> validateSecurityRoles(final SecurityConf
             rolesConfiguration -> loadConfiguration(CType.ROLESMAPPING, false, false).map(roleMappingsConfiguration -> {
                 final var contentAsNode = (ObjectNode) securityConfiguration.requestContent();
                 final var securityJsonNode = new SecurityJsonNode(contentAsNode);
-                var securityRoles = securityJsonNode.get("opendistro_security_roles").asList();
-                securityRoles = securityRoles == null ? List.of() : securityRoles;
+                var securityRoles = getRoles(securityJsonNode);
                 final var rolesValid = endpointValidator.validateRoles(securityRoles, rolesConfiguration);
                 if (!rolesValid.isValid()) {
                     return ValidationResult.error(rolesValid.status(), rolesValid.errorMessage());
@@ -202,6 +212,22 @@ ValidationResult<SecurityConfiguration> validateSecurityRoles(final SecurityConf
         );
     }
 
+    private List<String> getRoles(SecurityJsonNode content) {
+        List<String> roles = content.get(OPENSEARCH_SECURITY_ROLES).asList();
+        // Fall back to deprecated field if new field is not present
+        if (roles == null) {
+            roles = content.get(OPENDISTRO_SECURITY_ROLES).asList();
+            if (roles != null) {
+                log.warn(
+                    "The field '{}' is deprecated and will be removed in a future release. Please use '{}' instead.",
+                    OPENDISTRO_SECURITY_ROLES,
+                    OPENSEARCH_SECURITY_ROLES
+                );
+            }
+        }
+        return roles != null ? roles : List.of();
+    }
+
     ValidationResult<SecurityConfiguration> createOrUpdateAccount(
         final RestRequest request,
         final SecurityConfiguration securityConfiguration
@@ -309,7 +335,8 @@ public Map<String, RequestContentValidator.DataType> allowedKeys() {
                         return allowedKeys.put("backend_roles", DataType.ARRAY)
                             .put("attributes", DataType.OBJECT)
                             .put("description", DataType.STRING)
-                            .put("opendistro_security_roles", DataType.ARRAY)
+                            .put(OPENDISTRO_SECURITY_ROLES, DataType.ARRAY)
+                            .put(OPENSEARCH_SECURITY_ROLES, DataType.ARRAY)
                             .put("hash", DataType.STRING)
                             .put("password", DataType.STRING)
                             .build();

@@ -359,12 +359,19 @@ public List<String> getSecurityRoles(String user) {
 
             // Security roles should only contain roles that exist in the roles dynamic config.
             // We should filter out any roles that have hidden rolesmapping.
-            return tmp == null
-                ? ImmutableList.of()
-                : tmp.getOpendistro_security_roles()
+            if (tmp == null) {
+                return ImmutableList.of();
+            } else if (!tmp.getOpensearch_security_roles().isEmpty()) {
+                return tmp.getOpensearch_security_roles()
                     .stream()
                     .filter(role -> !isRolesMappingHidden(role) && rolesV7SecurityDynamicConfiguration.exists(role))
                     .collect(ImmutableList.toImmutableList());
+            } else {
+                return tmp.getOpendistro_security_roles()
+                    .stream()
+                    .filter(role -> !isRolesMappingHidden(role) && rolesV7SecurityDynamicConfiguration.exists(role))
+                    .collect(ImmutableList.toImmutableList());
+            }
         }
 
         // Remove any hidden rolesmapping from the security roles

@@ -51,6 +51,7 @@ public class InternalUserV7 implements Hideable, Hashed, StaticDefinable {
     private Map<String, String> attributes = Collections.emptyMap();
     private String description;
     private List<String> opendistro_security_roles = Collections.emptyList();
+    private List<String> opensearch_security_roles = Collections.emptyList();
 
     private InternalUserV7(String hash, boolean reserved, boolean hidden, List<String> backend_roles, Map<String, String> attributes) {
         super();
@@ -117,6 +118,16 @@ public List<String> getOpendistro_security_roles() {
 
     public void setOpendistro_security_roles(List<String> opendistro_security_roles) {
         this.opendistro_security_roles = opendistro_security_roles;
+        this.opensearch_security_roles = opendistro_security_roles;
+    }
+
+    public List<String> getOpensearch_security_roles() {
+        return opensearch_security_roles;
+    }
+
+    public void setOpensearch_security_roles(List<String> opensearch_security_roles) {
+        this.opendistro_security_roles = opensearch_security_roles;
+        this.opensearch_security_roles = opensearch_security_roles;
     }
 
     public Map<String, String> getAttributes() {