Skip to content

Commit

Permalink
Introduce dfm_empty_overrides_all setting to enable role without dls/…
Browse files Browse the repository at this point in the history 
…fls to override roles with dls/fls (opensearch-project#1735)

* Introduce dfm_empty_overrides_all setting to enable role without dls/fls to override roles with dls/fls

Signed-off-by: cliu123 <lc12251109@gmail.com>

Co-authored-by: jochenkressin <jkressin@floragunn.com>
Co-authored-by: Ralph Ursprung <39383228+rursprung@users.noreply.github.com>
  • Loading branch information
@cliu123 @jochenkressin @rursprung
3 people authored Apr 12, 2022
1 parent 0b53c88 commit 286da6c
Show file tree
Hide file tree
Showing 11 changed files with 398 additions and 14 deletions.
1 change: 1 addition & 0 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,6 +917,7 @@ public List<Setting<?>> getSettings() {
settings.add(Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Property.NodeScope, Property.Filtered));
settings.add(Setting.boolSetting(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Property.NodeScope, Property.Filtered));
settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Property.NodeScope)); //not filtered here

settings.add(Setting.simpleString(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, Property.NodeScope, Property.Filtered));
Expand Down
4 changes: 3 additions & 1 deletion src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,7 @@ public class PrivilegesEvaluator {
private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
private final TermsAggregationEvaluator termsAggregationEvaluator;
private final boolean dlsFlsEnabled;
private final boolean dfmEmptyOverwritesAll;
private DynamicConfigModel dcm;
private final NamedXContentRegistry namedXContentRegistry;

Expand Down Expand Up @@ -164,6 +165,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool
termsAggregationEvaluator = new TermsAggregationEvaluator();
this.namedXContentRegistry = namedXContentRegistry;
this.dlsFlsEnabled = dlsFlsEnabled;
this.dfmEmptyOverwritesAll = settings.getAsBoolean(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false);
}

@Subscribe
Expand Down Expand Up @@ -292,7 +294,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
log.trace("dnfof enabled? {}", dnfofEnabled);
}

presponse.evaluatedDlsFlsConfig = getSecurityRoles(mappedRoles).getDlsFls(user, resolver, clusterService, namedXContentRegistry);
presponse.evaluatedDlsFlsConfig = getSecurityRoles(mappedRoles).getDlsFls(user, dfmEmptyOverwritesAll, resolver, clusterService, namedXContentRegistry);


if (isClusterPerm(action0)) {
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -364,7 +364,7 @@ public SecurityRoles filter(Set<String> keep) {


@Override
public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver resolver, ClusterService cs,
public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, IndexNameExpressionResolver resolver, ClusterService cs,
NamedXContentRegistry namedXContentRegistry) {

final Map<String, Set<String>> dlsQueries = new HashMap<String, Set<String>>();
Expand Down
53 changes: 42 additions & 11 deletions src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,7 @@ public SecurityRoles filter(Set<String> keep) {


@Override
public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver resolver, ClusterService cs,
public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, IndexNameExpressionResolver resolver, ClusterService cs,
NamedXContentRegistry namedXContentRegistry) {


Expand All @@ -366,18 +366,28 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver re
Map<String, Set<String>> dlsQueriesByIndex = new HashMap<String, Set<String>>();
Map<String, Set<String>> flsFields = new HashMap<String, Set<String>>();
Map<String, Set<String>> maskedFieldsMap = new HashMap<String, Set<String>>();

// we capture all concrete indices that do not have any
// DLS/FLS/Masked Fields restrictions. If the dfm_empty_overwrites_all
// switch is enabled, this trumps any restrictions on those indices
// that may be imposed by other roles.
Set<String> noDlsConcreteIndices = new HashSet<>();
Set<String> noFlsConcreteIndices = new HashSet<>();
Set<String> noMaskedFieldConcreteIndices = new HashSet<>();

for (SecurityRole role : roles) {
for (IndexPattern ip : role.getIpatterns()) {
Set<String> concreteIndices;
concreteIndices = ip.getResolvedIndexPattern(user, resolver, cs);
concreteIndices = ip.getResolvedIndexPattern(user, resolver, cs, false);
String dls = ip.getDlsQuery(user);

if (dls != null && dls.length() > 0) {

for (String concreteIndex : concreteIndices) {
dlsQueriesByIndex.computeIfAbsent(concreteIndex, (key) -> new HashSet<String>()).add(dls);
}
} else if (dfmEmptyOverwritesAll) {
noDlsConcreteIndices.addAll(concreteIndices);
}

Set<String> fls = ip.getFls();
Expand All @@ -392,6 +402,8 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver re
flsFields.get(concreteIndex).addAll(Sets.newHashSet(fls));
}
}
} else if (dfmEmptyOverwritesAll) {
noFlsConcreteIndices.addAll(concreteIndices);
}

Set<String> maskedFields = ip.getMaskedFields();
Expand All @@ -406,8 +418,25 @@ public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver re
maskedFieldsMap.get(concreteIndex).addAll(Sets.newHashSet(maskedFields));
}
}
}
} else if (dfmEmptyOverwritesAll) {
noMaskedFieldConcreteIndices.addAll(concreteIndices);
}
}
}
if (dfmEmptyOverwritesAll) {
if (log.isDebugEnabled()) {
log.debug("Index patterns with no dls queries attached: {} - They will be removed from {}", noDlsConcreteIndices,
dlsQueriesByIndex.keySet());
log.debug("Index patterns with no fls fields attached: {} - They will be removed from {}", noFlsConcreteIndices,
flsFields.keySet());
log.debug("Index patterns with no masked fields attached: {} - They will be removed from {}", noMaskedFieldConcreteIndices,
maskedFieldsMap.keySet());
}
// removing the indices that do not have D/M/F restrictions
// from the keySet will also modify the underlying map
dlsQueriesByIndex.keySet().removeAll(noDlsConcreteIndices);
flsFields.keySet().removeAll(noFlsConcreteIndices);
maskedFieldsMap.keySet().removeAll(noMaskedFieldConcreteIndices);
}

return new EvaluatedDlsFlsConfig(dlsQueriesByIndex, flsFields, maskedFieldsMap);
Expand Down Expand Up @@ -530,7 +559,7 @@ private Set<String> getAllResolvedPermittedIndices(Resolved resolved, User user,
// }
if (patternMatch) {
//resolved but can contain patterns for nonexistent indices
final WildcardMatcher permitted = WildcardMatcher.from(p.getResolvedIndexPattern(user, resolver, cs)); //maybe they do not exist
final WildcardMatcher permitted = WildcardMatcher.from(p.getResolvedIndexPattern(user, resolver, cs, true)); //maybe they do not exist
final Set<String> res = new HashSet<>();
if (!resolved.isLocalAll() && !resolved.getAllIndices().contains("*") && !resolved.getAllIndices().contains("_all")) {
//resolved but can contain patterns for nonexistent indices
Expand Down Expand Up @@ -722,7 +751,7 @@ public String getUnresolvedIndexPattern(User user) {
return replaceProperties(indexPattern, user);
}

public Set<String> getResolvedIndexPattern(User user, IndexNameExpressionResolver resolver, ClusterService cs) {
public Set<String> getResolvedIndexPattern(User user, IndexNameExpressionResolver resolver, ClusterService cs, boolean appendUnresolved) {
String unresolved = getUnresolvedIndexPattern(user);
WildcardMatcher matcher = WildcardMatcher.from(unresolved);
String[] resolved = null;
Expand All @@ -744,10 +773,12 @@ public Set<String> getResolvedIndexPattern(User user, IndexNameExpressionResolve
if (resolved == null || resolved.length == 0) {
return ImmutableSet.of(unresolved);
} else {
return ImmutableSet.<String>builder()
.addAll(Arrays.asList(resolved))
.add(unresolved)
.build();
ImmutableSet.Builder<String> builder = ImmutableSet.<String>builder()
.addAll(Arrays.asList(resolved));
if (appendUnresolved) {
builder.add(unresolved);
}
return builder.build();
}
}

Expand Down Expand Up @@ -963,12 +994,12 @@ private static boolean impliesTypePerm(Set<IndexPattern> ipatterns, Resolved res
indexMatcherAndPermissions = ipatterns
.stream()
.filter(indexPattern -> "*".equals(indexPattern.getUnresolvedIndexPattern(user)))
.map(p -> new IndexMatcherAndPermissions(p.getResolvedIndexPattern(user, resolver, cs), p.perms))
.map(p -> new IndexMatcherAndPermissions(p.getResolvedIndexPattern(user, resolver, cs, true), p.perms))
.toArray(IndexMatcherAndPermissions[]::new);
} else {
indexMatcherAndPermissions = ipatterns
.stream()
.map(p -> new IndexMatcherAndPermissions(p.getResolvedIndexPattern(user, resolver, cs), p.perms))
.map(p -> new IndexMatcherAndPermissions(p.getResolvedIndexPattern(user, resolver, cs, true), p.perms))
.toArray(IndexMatcherAndPermissions[]::new);
}
return resolvedRequestedIndices
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/org/opensearch/security/securityconf/SecurityRoles.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public interface SecurityRoles {

boolean get(Resolved requestedResolved, User user, String[] allIndexPermsRequiredA, IndexNameExpressionResolver resolver, ClusterService clusterService);

EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver resolver, ClusterService clusterService, NamedXContentRegistry namedXContentRegistry);
EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, IndexNameExpressionResolver resolver, ClusterService clusterService, NamedXContentRegistry namedXContentRegistry);

Set<String> getAllPermittedIndicesForDashboards(Resolved resolved, User user, String[] actions, IndexNameExpressionResolver resolver, ClusterService cs);

Expand Down
1 change: 1 addition & 0 deletions src/main/java/org/opensearch/security/support/ConfigConstants.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,6 +240,7 @@ public class ConfigConstants {
public static final String LEGACY_OPENDISTRO_SECURITY_CONFIG_SSL_DUAL_MODE_ENABLED = "opendistro_security_config.ssl_dual_mode_enabled";
public static final String SECURITY_SSL_CERT_RELOAD_ENABLED = "plugins.security.ssl_cert_reload_enabled";
public static final String SECURITY_DISABLE_ENVVAR_REPLACEMENT = "plugins.security.disable_envvar_replacement";
public static final String SECURITY_DFM_EMPTY_OVERRIDES_ALL = "plugins.security.dfm_empty_overrides_all";

public enum RolesMappingResolution {
MAPPING_ONLY,
Expand Down
Loading

0 comments on commit 286da6c

Please sign in to comment.