How to fiw error 'Cannot deserialize instance of `java.lang.String` out of START_ARRAY token'?

Hi

I am getting an error when I run the secirityadmin.sh (option -cd) script to deploy a modification that I created in roles.yml

here is the output of the command along with the error

Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated

ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot deserialize instance of java.lang.String out of START_ARRAY token
at [Source: (String)"{"_meta":{“type”:“roles”,“config_version”:2},“kibana_read_only”:{“reserved”:true},“security_rest_api_access”:{“reserved”:true},“alerting_read_access”:{“reserved”:true,"cluster_permissions":[“cluster:admin/opendistro/alerting/alerts/get”,“cluster:admin/opendistro/alerting/destination/get”,“cluster:admin/opendistro/alerting/monitor/get”,“cluster:admin/opendistro/alerting/monitor/search”]},“alerting_ack_alerts”:{“reserved”:true,“cluster_permissions”:[“cluster:admin/opendistro/alerting/alerts/*”]},""[truncated 5181 chars]; line: 1, column: 3308] (through reference chain: com.amazon.opendistroforelasticsearch.security.securityconf.impl.SecurityDynamicConfiguration[“SYSTEME_ABC-XYZ”]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7[“index_permissions”]->java.util.ArrayList[0]->com.amazon.opendistroforelasticsearch.security.securityconf.impl.v7.RoleV7$Index[“dls”])

Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
ERR: cannot upload configuration, see errors above
command terminated with exit code 255

And here is the roles.yml configuration that I want to deploy

##### automated generated for roles.yml #####
    
SYSTEME_ABC-XYZ:
  reserved: false
  hidden: false
  cluster_permissions:
    - 'cluster_composite_ops'
  index_permissions:
    - index_patterns:
        - 'abc*logs-socles*'
      dls: []
      fls: []
      masked_fields: []
      allowed_actions:
        - 'read'
        - 'kibana_all_read'
    - index_patterns:
        - 'abc*logs-2*'
      dls: []
      fls: []
      masked_fields: []
      allowed_actions:
        - 'read'
        - 'kibana_all_read'
    - index_patterns:
        - '.kibana'
      dls: []
      fls: []
      masked_fields: []
      allowed_actions:
        - 'read'
        - 'kibana_all_read'

My guess is that the script do not detect the list of permissions well, given that there are 3 index patterns declared in my config.

Am I right or do I missing another aspect of the roles.yml syntax ?

Hi @Kamikague

It’s your syntax issue. You have

dls:[ ]

instead

dls: “”

Just checked on 1.13.1 and all is working.

image

1 Like

Thank You @pablo it works

1 Like