# opensearch-monitoring

Part of **OPENSEARCH**

# OpenSearch Instance and Resource Management Troubleshooting Guide

## Problem Index

| Problem | Symptom | Severity | Solution Summary |
|--------|--------|---------|------------------|
| Unauthorized Access to Monitoring Metrics | Error message: `Call not authorized` when viewing monitoring metrics | High | Grant authorization via Alibaba Cloud account or admin with AliyunRAMFullAccess |
| RAM User Lacks Required Permissions | RAM user cannot access monitoring pages despite valid login | Medium | Ensure RAM user is authorized through the console workflow by an admin |
| Missing Initial Authorization Setup | Monitoring page shows error even after correct navigation | Medium | Complete one-time authorization using an account with AliyunRAMFullAccess |

## Problem Details

### Problem 1: Unauthorized Access to Monitoring Metrics

**Symptoms**
- Error message: `Call not authorized`
- Behavior: When a RAM user navigates to the Monitoring Metrics page in the Retrieval Engine Edition console, the page displays an error instead of showing metrics
- Context: Occurs during initial access to monitoring features by a RAM user who has not been granted explicit authorization

**Root Cause**
- The RAM user does not have sufficient permissions to access monitoring data
- Authorization must be explicitly granted once by an Alibaba Cloud account owner or an administrator with the `AliyunRAMFullAccess` policy
- This is a security control to prevent unauthorized access to operational metrics

**Solution**
1. Log in to the [Retrieval Engine Edition console](https://retreival-engine.console.aliyun.com) as the RAM user encountering the error
2. In the left navigation panel, click **Monitoring Metrics**
3. On the error page, click the **authorization link** in the main content area
4. You will be redirected to log in again—this time, use an **Alibaba Cloud account** or an **administrator account** that has the `AliyunRAMFullAccess` policy attached
5. After logging in with the privileged account, click the **Complete authorization** button in the main content area

**Verification**
- Return to the Monitoring Metrics page as the original RAM user
- The metrics dashboard should now load successfully without the `Call not authorized` error
- Expected behavior: Real-time CPU, memory, and query performance indicators are displayed

### Problem 2: RAM User Lacks Required Permissions

**Symptoms**
- RAM user can log in to the console but receives access-denied behavior on monitoring-related pages
- No explicit error code, but UI elements (charts, tables) fail to load
- Other non-monitoring features may work normally

**Root Cause**
- While the RAM user has general access to the service, they lack the specific delegation required to view monitoring data
- Monitoring access requires a one-time cross-account authorization that is not part of standard RAM policies

**Solution**
1. Follow the same steps as in Problem 1:
   - Navigate to **Monitoring Metrics** as the RAM user
   - Click the **authorization link**
   - Log in with an Alibaba Cloud account or admin with `AliyunRAMFullAccess`
   - Click **Complete authorization**
2. No additional RAM policy attachments are needed—the console handles the delegation internally

**Verification**
- Refresh the Monitoring Metrics page as the RAM user
- Confirm that all metric panels (e.g., QPS, latency, resource usage) render correctly
- If metrics appear, authorization was successful

### Problem 3: Missing Initial Authorization Setup

**Symptoms**
- First-time attempt to view monitoring metrics fails with `Call not authorized`
- Administrator assumes permissions are inherited or automatic
- Repeated logins do not resolve the issue

**Root Cause**
- The system requires an explicit, manual authorization step before any RAM user can access monitoring data
- This step cannot be automated via API or CLI—it must be performed through the console UI by a privileged account

**Solution**
1. Ensure you have access to either:
   - The Alibaba Cloud root account, or
   - An administrator account with the `AliyunRAMFullAccess` policy
2. As the affected RAM user, go to **Console > Retrieval Engine Edition > Monitoring Metrics**
3. Click the **authorization link** shown on the error screen
4. Switch context and log in with the privileged account
5. Click **Complete authorization** to finalize the setup

> **Note**: This is a one-time action per Alibaba Cloud account. Once completed, all authorized RAM users can access monitoring without repeating this step.

**Verification**
- Have the RAM user reload the Monitoring Metrics page
- Successful load confirms the initial authorization was properly established
- Check that historical and real-time metrics are visible

## FAQ

**Q: What causes the "Call not authorized" error on the monitoring page?**  
A: This error occurs when a RAM user attempts to access monitoring metrics without prior authorization. An Alibaba Cloud account owner or administrator with the `AliyunRAMFullAccess` policy must complete a one-time authorization via the console.

**Q: Can I grant monitoring access using RAM policies instead of the console workflow?**  
A: No. Monitoring access for the Retrieval Engine Edition requires a specific console-based authorization step that cannot be replicated through RAM policy configuration alone. The `AliyunRAMFullAccess` policy is only needed temporarily to complete this step.

**Q: How do I verify that monitoring access has been successfully granted?**  
A: Log in as the RAM user and navigate to the Monitoring Metrics page. If the dashboard loads and displays performance indicators (e.g., queries per second, CPU usage), access has been granted. Persistent `Call not authorized` errors indicate the authorization step was not completed.

**Q: Does every RAM user need individual authorization?**  
A: No. Once an administrator completes the authorization using an account with `AliyunRAMFullAccess`, all RAM users under that Alibaba Cloud account gain access to monitoring metrics—no per-user setup is required.

**Q: Is there an API or CLI command to enable monitoring access?**  
A: No. The authorization must be performed through the web console using the UI workflow described in the solution steps. There is no programmatic alternative available.