Skip to content

Commit

Permalink
Rename auth failure listeners & add permission support (opensearch-pr…
Browse files Browse the repository at this point in the history
…oject#4713)

Signed-off-by: Derek Ho <dxho@amazon.com>
  • Loading branch information
derek-ho authored Sep 12, 2024
1 parent 014c8de commit c6988fb
Show file tree
Hide file tree
Showing 8 changed files with 14 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ public enum Endpoint {
PERMISSIONSINFO,
AUTHTOKEN,
TENANTS,
AUTHFAILURELISTENERS,
RATELIMITERS,
MIGRATE,
VALIDATE,
WHITELIST,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
import static org.opensearch.security.securityconf.impl.v7.ConfigV7.MAX_TRACKED_CLIENTS_DEFAULT;
import static org.opensearch.security.securityconf.impl.v7.ConfigV7.TIME_WINDOW_SECONDS_DEFAULT;

public class AuthFailureListenersApiAction extends AbstractApiAction {
public class RateLimitersApiAction extends AbstractApiAction {

public static final String IP_TYPE = "ip";

Expand All @@ -75,18 +75,14 @@ public class AuthFailureListenersApiAction extends AbstractApiAction {
)
);

protected AuthFailureListenersApiAction(
ClusterService clusterService,
ThreadPool threadPool,
SecurityApiDependencies securityApiDependencies
) {
super(Endpoint.AUTHFAILURELISTENERS, clusterService, threadPool, securityApiDependencies);
protected RateLimitersApiAction(ClusterService clusterService, ThreadPool threadPool, SecurityApiDependencies securityApiDependencies) {
super(Endpoint.RATELIMITERS, clusterService, threadPool, securityApiDependencies);
this.requestHandlersBuilder.configureRequestHandlers(this::authFailureConfigApiRequestHandlers);
}

@Override
public String getName() {
return "Auth failure listener actions to Retrieve / Update configs.";
return "Rate limiter actions to retrieve / update configs.";
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ default String build() {
.put(Endpoint.CONFIG, action -> buildEndpointActionPermission(Endpoint.CONFIG, action))
.put(Endpoint.INTERNALUSERS, action -> buildEndpointPermission(Endpoint.INTERNALUSERS))
.put(Endpoint.NODESDN, action -> buildEndpointPermission(Endpoint.NODESDN))
.put(Endpoint.RATELIMITERS, action -> buildEndpointPermission(Endpoint.RATELIMITERS))
.put(Endpoint.ROLES, action -> buildEndpointPermission(Endpoint.ROLES))
.put(Endpoint.ROLESMAPPING, action -> buildEndpointPermission(Endpoint.ROLESMAPPING))
.put(Endpoint.TENANTS, action -> buildEndpointPermission(Endpoint.TENANTS))
Expand Down Expand Up @@ -98,13 +99,6 @@ public boolean isCurrentUserAdminFor(final Endpoint endpoint, final String actio
return false;
}
if (adminDNs.isAdmin(userAndRemoteAddress.getLeft())) {
if (logger.isDebugEnabled()) {
logger.debug(
"Security admin permissions required for endpoint {} but {} is not an admin",
endpoint,
userAndRemoteAddress.getLeft().getName()
);
}
return true;
}
if (!ENDPOINTS_WITH_PERMISSIONS.containsKey(endpoint)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ public static Collection<RestHandler> getHandler(
new AllowlistApiAction(Endpoint.ALLOWLIST, clusterService, threadPool, securityApiDependencies),
new AuditApiAction(clusterService, threadPool, securityApiDependencies),
new MultiTenancyConfigApiAction(clusterService, threadPool, securityApiDependencies),
new AuthFailureListenersApiAction(clusterService, threadPool, securityApiDependencies),
new RateLimitersApiAction(clusterService, threadPool, securityApiDependencies),
new ConfigUpgradeApiAction(clusterService, threadPool, securityApiDependencies),
new SecuritySSLCertsApiAction(clusterService, threadPool, securityKeyStore, certificatesReloadEnabled, securityApiDependencies),
new CertificatesApiAction(clusterService, threadPool, securityApiDependencies)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,8 @@ protected List<String> restApiAdminPermissions() {
"restapi:admin/rolesmapping",
"restapi:admin/ssl/certs/info",
"restapi:admin/ssl/certs/reload",
"restapi:admin/tenants"
"restapi:admin/tenants",
"restapi:admin/ratelimiters"
);
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
import static org.hamcrest.core.IsEqual.equalTo;
import static org.hamcrest.core.StringContains.containsString;

public class AuthFailureListenersApiActionTest extends AbstractRestApiUnitTest {
public class RateLimitersApiActionTest extends AbstractRestApiUnitTest {

private static final Header ADMIN_FULL_ACCESS_USER = encodeBasicHeader("admin_all_access", "admin_all_access");
private static final Header USER_NO_REST_API_ACCESS = encodeBasicHeader("admin", "admin");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

public class AuthFailureListenersApiActionValidationTest extends AbstractApiActionValidationTest {
public class RateLimitersApiActionValidationTest extends AbstractApiActionValidationTest {

@Test
public void validateAllowedFields() throws IOException {
final var authFailureListenerApiActionRequestContentValidator = new AuthFailureListenersApiAction(
final var authFailureListenerApiActionRequestContentValidator = new RateLimitersApiAction(
clusterService,
threadPool,
securityApiDependencies
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -405,7 +405,8 @@ private List<String> restAdminPermissions() {
"restapi:admin/rolesmapping",
"restapi:admin/ssl/certs/info",
"restapi:admin/ssl/certs/reload",
"restapi:admin/tenants"
"restapi:admin/tenants",
"restapi:admin/ratelimiters"
);
}

Expand Down

0 comments on commit c6988fb

Please sign in to comment.