Point in time security changes #2094
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bharath-techie
force-pushed
the
main
branch
from
ddfe5d2
to
98cb17f
Compare
Signed-off-by: Bharathwaj G <bharath78910@gmail.com>
bharath-techie
force-pushed
the
main
branch
from
98cb17f
to
0e0affc
Compare
peternied
requested changes
Sep 20, 2022
src/main/java/org/opensearch/security/privileges/PitPrivilegesEvaluator.java
Outdated
Show resolved
Hide resolved
| User user, SecurityRoles securityRoles, final String action, | ||
| IndexNameExpressionResolver resolver) { | ||
| final ImmutableSet<String> pitImmutableIndices = ImmutableSet.copyOf(pitIndices); | ||
| final IndexResolverReplacer.Resolved pitResolved = |
There was a problem hiding this comment.
How does this resolve with aliases or data streams?
There was a problem hiding this comment.
Good question - don't think this logic handles other than local indices.
final ResolvedIndicesProvider resolvedIndicesProvider = new ResolvedIndicesProvider(request);
getOrReplaceAllIndices(request, resolvedIndicesProvider, false);
return resolvedIndicesProvider.resolved(indicesOptionsFrom(request))
I think i have to use this logic instead. Let me try debugging and update this.
One problem with integration tests is that current framework doesn't let me pass body to 'delete I can validate only '_all' requests. |
|
For these scenarios that aren't included in the test framework, could you add overloads that cover these scenarios? |
Signed-off-by: Bharathwaj G <bharath78910@gmail.com>
peternied
requested changes
Sep 22, 2022
Signed-off-by: Bharathwaj G <bharath78910@gmail.com>
I've addressed the question about data stream / aliases. And also have added the tests validating the same. |
|
@bharath-techie It looks like there are build issues impacting the CI. I'm happy to approve once we see those tests are passing |
|
@peternied |
47 tasks
Codecov Report
@@ Coverage Diff @@
## main #2094 +/- ##
============================================
+ Coverage 61.01% 61.08% +0.06%
- Complexity 3229 3241 +12
============================================
Files 256 257 +1
Lines 18101 18135 +34
Branches 3229 3235 +6
============================================
+ Hits 11044 11077 +33
Misses 5475 5475
- Partials 1582 1583 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Hi @peternied, |
peternied
approved these changes
Oct 6, 2022
DarshitChanpura
approved these changes
Oct 7, 2022
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Nov 2, 2022
Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> (cherry picked from commit 207cfcc)
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Nov 2, 2022
Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> (cherry picked from commit 207cfcc)
peternied
pushed a commit
that referenced
this pull request
Nov 3, 2022
Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> (cherry picked from commit 207cfcc)
peternied
pushed a commit
that referenced
this pull request
Nov 3, 2022
Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> (cherry picked from commit 207cfcc) Co-authored-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com>
3 tasks
stephen-crawford
pushed a commit
to stephen-crawford/security
that referenced
this pull request
Nov 10, 2022
Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> Signed-off-by: Stephen Crawford <steecraw@amazon.com>
wuychn
pushed a commit
to ochprince/security
that referenced
this pull request
Mar 16, 2023
…project#2224) Description For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions. If user has permission to all indices of PIT, then PIT is permitted to the user. Only when the user has permissions for all PITs in the request, then we allow the operation. For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code Alias and data stream behavior : PIT IDs always contain the resolved indices ( underlying indices ) when saved. Based on this, For alias, user must have either 'index' or 'alias' permission for any PIT operation. For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation. With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission. Signed-off-by: Bharathwaj G <bharath78910@gmail.com> Signed-off-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com> (cherry picked from commit 207cfcc) Co-authored-by: Bharathwaj G <58062316+bharath-techie@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Bharathwaj G bharath78910@gmail.com
Description
Alias and data stream behavior :
Refer to :
#2087 (comment)
New feature - Modification to point in time security model
We're making these changes to enhance the security model of PIT as per review comments from opensearch community
Issues Resolved
#2087
opensearch-project/OpenSearch#3959
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.