Skip to content

Commit

Permalink
Addressing comments , using dnfOfEmptyResultsEnabled
Browse files Browse the repository at this point in the history 
Signed-off-by: Bharathwaj G <bharath78910@gmail.com>
  • Loading branch information
@bharath-techie
bharath-techie committed Sep 5, 2022
1 parent 953748f commit dd830b4
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 20 deletions.
35 changes: 19 additions & 16 deletions ...curity/privileges/PitAccessEvaluator.java → ...ty/privileges/PitPrivilegesEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,15 +61,15 @@
/**
* This class evaluates privileges for point in time (Delete and List all) operations
*/
public class PitAccessEvaluator {
public class PitPrivilegesEvaluator {

protected final Logger log = LogManager.getLogger(this.getClass());
private boolean isDebugEnabled = log.isDebugEnabled();

public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final ClusterService clusterService,
final User user, final SecurityRoles securityRoles, final String action,
final IndexNameExpressionResolver resolver,
boolean dnfofEnabled, final PrivilegesEvaluatorResponse presponse) {
boolean dnfOfEmptyResultsEnabled, final PrivilegesEvaluatorResponse presponse) {

// Skip pit evaluation for "NodesGetAllPITs" action, since it fetches all PITs across the cluster
// for privilege evaluation
Expand All @@ -82,26 +82,26 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C
return presponse;
}
return handleGetAllPitsAccess(request, clusterService, user, securityRoles,
action, resolver, dnfofEnabled, presponse);
action, resolver, dnfOfEmptyResultsEnabled, presponse);
} else if (request instanceof DeletePitRequest) {
DeletePitRequest deletePitRequest = (DeletePitRequest) request;
List<String> pitIds = deletePitRequest.getPitIds();
if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) {
return handleDeleteAllPitAccess(deletePitRequest, clusterService, user, securityRoles,
action, resolver, dnfofEnabled, presponse);
action, resolver, dnfOfEmptyResultsEnabled, presponse);
} else {
return handleExplicitPitsAccess(deletePitRequest.getPitIds(), clusterService, user, securityRoles,
action, resolver, dnfofEnabled, presponse);
action, resolver, dnfOfEmptyResultsEnabled, presponse);
}
} else if (request instanceof PitSegmentsRequest) {
PitSegmentsRequest pitSegmentsRequest = (PitSegmentsRequest) request;
List<String> pitIds = pitSegmentsRequest.getPitIds();
if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) {
return handleGetAllPitSegmentsAccess(pitSegmentsRequest, clusterService, user, securityRoles,
action, resolver, dnfofEnabled, presponse);
action, resolver, dnfOfEmptyResultsEnabled, presponse);
} else {
return handleExplicitPitsAccess(pitSegmentsRequest.getPitIds(), clusterService, user, securityRoles,
action, resolver, dnfofEnabled, presponse);
action, resolver, dnfOfEmptyResultsEnabled, presponse);
}
}
} catch(InterruptedException e) {
Expand All @@ -117,11 +117,12 @@ public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final C
private PrivilegesEvaluatorResponse handleGetAllPitsAccess(final ActionRequest request, final ClusterService clusterService,
final User user, SecurityRoles securityRoles, final String action,
IndexNameExpressionResolver resolver,
boolean dnfofEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
List<ListPitInfo> pitInfos = getAllPitInfos((GetAllPitNodesRequest) request);
// if cluster has no PITs, then allow the operation to pass with empty response
// if cluster has no PITs, then allow the operation to pass with empty response if dnfOfEmptyResultsEnabled
// config property is true, otherwise fail the operation
if(pitInfos.isEmpty()) {
if(dnfofEnabled) {
if(dnfOfEmptyResultsEnabled) {
presponse.allowed = true;
presponse.markComplete();
}
Expand Down Expand Up @@ -172,12 +173,13 @@ private PrivilegesEvaluatorResponse handleGetAllPitsAccess(final ActionRequest r
private PrivilegesEvaluatorResponse handleDeleteAllPitAccess(DeletePitRequest deletePitRequest, ClusterService clusterService,
User user, SecurityRoles securityRoles, final String action,
IndexNameExpressionResolver resolver,
boolean dnfofEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
List<String> permittedPits = new ArrayList<>();
List<String> pitIds = getAllPitIds();
// allow delete pit operation if there are no pits in the cluster ( response should be empty )
// if cluster has no PITs, then allow the operation to pass with empty response if dnfOfEmptyResultsEnabled
// config property is true, otherwise fail the operation
if(pitIds.isEmpty()) {
if(dnfofEnabled) {
if(dnfOfEmptyResultsEnabled) {
deletePitRequest.clearAndSetPitIds(pitIds);
presponse.allowed = true;
presponse.markComplete();
Expand Down Expand Up @@ -216,12 +218,13 @@ private PrivilegesEvaluatorResponse handleDeleteAllPitAccess(DeletePitRequest de
private PrivilegesEvaluatorResponse handleGetAllPitSegmentsAccess(PitSegmentsRequest pitSegmentsRequest, ClusterService clusterService,
User user, SecurityRoles securityRoles, final String action,
IndexNameExpressionResolver resolver,
boolean dnfofEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
boolean dnfOfEmptyResultsEnabled, PrivilegesEvaluatorResponse presponse) throws InterruptedException {
List<String> permittedPits = new ArrayList<>();
List<String> pitIds = getAllPitIds();
// allow pit segments operation if there are no pits in the cluster ( response should be empty )
// if cluster has no PITs, then allow the operation to pass with empty response if dnfOfEmptyResultsEnabled
// config property is true, otherwise fail the operation
if(pitIds.isEmpty()) {
if(dnfofEnabled) {
if(dnfOfEmptyResultsEnabled) {
pitSegmentsRequest.clearAndSetPitIds(pitIds);
presponse.allowed = true;
presponse.markComplete();
Expand Down
8 changes: 4 additions & 4 deletions src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ public class PrivilegesEvaluator {
private final SecurityIndexAccessEvaluator securityIndexAccessEvaluator;
private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
private final TermsAggregationEvaluator termsAggregationEvaluator;
private final PitAccessEvaluator pitAccessEvaluator;
private final PitPrivilegesEvaluator pitPrivilegesEvaluator;
private final boolean dlsFlsEnabled;
private final boolean dfmEmptyOverwritesAll;
private DynamicConfigModel dcm;
Expand Down Expand Up @@ -159,7 +159,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool
securityIndexAccessEvaluator = new SecurityIndexAccessEvaluator(settings, auditLog, irr);
protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
termsAggregationEvaluator = new TermsAggregationEvaluator();
pitAccessEvaluator = new PitAccessEvaluator();
pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
this.namedXContentRegistry = namedXContentRegistry;
this.dlsFlsEnabled = dlsFlsEnabled;
this.dfmEmptyOverwritesAll = settings.getAsBoolean(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false);
Expand Down Expand Up @@ -285,8 +285,8 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
}

// check access for point in time requests
if(pitAccessEvaluator.evaluate(request, clusterService, user, securityRoles,
action0, resolver, dcm.isDnfofEnabled(), presponse).isComplete()) {
if(pitPrivilegesEvaluator.evaluate(request, clusterService, user, securityRoles,
action0, resolver, dcm.isDnfofForEmptyResultsEnabled(), presponse).isComplete()) {
return presponse;
}

Expand Down

0 comments on commit dd830b4

Please sign in to comment.