[BUG] User object deserialization prevents Rolling upgrade from version 1.x to 2.2.1

[ronniepg]

What is the bug?
User object deserialization prevents Rolling upgrade from version 1.x to 2.2.1

How can one reproduce the bug?
Steps to reproduce the behavior:

1. Setup a fresh 1.2.4 cluster with security enabled. Users, Roles, Role mapping, etc. are all maintained in the internal security index, i.e. no integration with external LDAP for authn and authz.
2. Upgrade one of the master nodes to version 2.2.1 using the tarball based installation.

The upgraded node starts up and no specific error is seen in the logs. But any API call to the upgraded cluster fails with a permission denied issue even though the user has appropriate permission to the requested resource/API.

What is the expected behavior?
The upgraded 2.2.1 node should be able to accept API requests for the existing users without any permission errors.

What is your host/environment?

• OS: OEL 7

Do you have any screenshots?
NA

Do you have any additional context?

1. rolling upgrade from latest version of OpenSearch 1.x (i.e. 1.3.5) fails as well.
2. discussed in more detail here: https://forum.opensearch.org/t/rolling-upgrade-from-version-1-x-to-2-2-1-does-not-work/11042
3. fix this by reverting back Replace opensearch class names with opendistro class names during serialization and restore them back during deserialization #1278 partially, i.e. at least the deserialization part in Base64Helper.java to get this rolling upgrade to work.

[stephen-crawford]

[TRIAGE] @cliu123 can you please take a look at this?

[cliu123]

@ronniepg Thanks for creating the issue! While we are investigating, would you please try full upgrade(bring down all nodes, upgrade all nodes and then start all nodes.)?

[ronniepg]

@cliu123 yes as noted in https://forum.opensearch.org/t/rolling-upgrade-from-version-1-x-to-2-2-1-does-not-work/11042 the full cluster restart approach works fine.

[cwperks]

@ronniepg Thank you for filing this issue, I have been able to replicate. You can find more details on this issue: #2228

[faabsen]

Follow up question. We had initially successfully migrated from ES v7.10.2 to OpenSearch v1.2.4 about a year ago.

Now while trying to upgrade directly to OpenSearch v2.4.1 we got stuck with the same errors. Therefore, we tried to upgrade via v1.3.7 without any problems in the dev environment.

Now, in the test environment we got kind of stuck as some monitors/alerts produced some errors. After deleting them, it still looks like the migration is not fully finished. After OpenSearch upgrade we note that these entries have been added to the persistent settings of the clusters:

{
  "persistent" : {
    "plugins" : {
      "index_state_management" : {
        "metadata_migration" : {
          "status" : "1"
        },
        "template_migration" : {
          "control" : "-1"
        }
      }
    }
...
}

I haven’t found any documentation around them but I guess they were used to coordinate the migration. May I delete them now that clusters are happily upgraded? Is there any documentation around these that I missed? Many thanks in advance.

[cwperks]

@opensearch-project/index-management Could someone help answer the question in the comment above? #2168 (comment)