diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java index 34d1746be72f1..06cfb360c4423 100644 --- a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java +++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroIdentityPlugin.java @@ -15,13 +15,13 @@ import org.opensearch.client.Client; import org.opensearch.cluster.metadata.IndexNameExpressionResolver; import org.opensearch.cluster.service.ClusterService; +import org.opensearch.common.annotation.ExperimentalApi; import org.opensearch.common.settings.Settings; import org.opensearch.core.common.io.stream.NamedWriteableRegistry; import org.opensearch.core.xcontent.NamedXContentRegistry; import org.opensearch.env.Environment; import org.opensearch.env.NodeEnvironment; import org.opensearch.identity.Subject; -import org.opensearch.identity.noop.NoopPluginSubject; import org.opensearch.identity.tokens.TokenManager; import org.opensearch.plugins.IdentityPlugin; import org.opensearch.plugins.Plugin; @@ -39,6 +39,7 @@ * * @opensearch.experimental */ +@ExperimentalApi public final class ShiroIdentityPlugin extends Plugin implements IdentityPlugin { private Logger log = LogManager.getLogger(this.getClass()); @@ -100,6 +101,6 @@ public TokenManager getTokenManager() { @Override public Subject getPluginSubject(Plugin plugin) { - return new NoopPluginSubject(threadPool); + return new ShiroPluginSubject(threadPool); } } diff --git a/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroPluginSubject.java b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroPluginSubject.java new file mode 100644 index 0000000000000..64e5da4c7048e --- /dev/null +++ b/plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroPluginSubject.java @@ -0,0 +1,56 @@ +/* + * SPDX-License-Identifier: Apache-2.0 + * + * The OpenSearch Contributors require contributions made to + * this file be licensed under the Apache-2.0 license or a + * compatible open source license. + */ + +package org.opensearch.identity.shiro; + +import org.opensearch.common.annotation.ExperimentalApi; +import org.opensearch.common.util.concurrent.ThreadContext; +import org.opensearch.identity.NamedPrincipal; +import org.opensearch.identity.Subject; +import org.opensearch.identity.tokens.AuthToken; +import org.opensearch.threadpool.ThreadPool; + +import java.security.Principal; +import java.util.concurrent.Callable; + +/** + * Implementation of subject that is always authenticated + *

+ * This class and related classes in this package will not return nulls or fail permissions checks + * + * This class is used by the ShiroIdentityPlugin to initialize IdentityAwarePlugins + * + * @opensearch.experimental + */ +@ExperimentalApi +public class ShiroPluginSubject implements Subject { + private final ThreadPool threadPool; + + ShiroPluginSubject(ThreadPool threadPool) { + super(); + this.threadPool = threadPool; + } + + @Override + public Principal getPrincipal() { + return NamedPrincipal.UNAUTHENTICATED; + } + + @Override + public void authenticate(AuthToken token) { + // Do nothing as noop subject is always logged in + } + + @Override + public T runAs(Callable callable) throws Exception { + try (ThreadContext.StoredContext ctx = threadPool.getThreadContext().stashContext()) { + callable.call(); + } + return null; + } +} diff --git a/server/src/main/java/org/opensearch/identity/noop/NoopPluginSubject.java b/server/src/main/java/org/opensearch/identity/noop/NoopPluginSubject.java index b8e25a1107afb..50d2f84497e66 100644 --- a/server/src/main/java/org/opensearch/identity/noop/NoopPluginSubject.java +++ b/server/src/main/java/org/opensearch/identity/noop/NoopPluginSubject.java @@ -8,6 +8,7 @@ package org.opensearch.identity.noop; +import org.opensearch.common.annotation.InternalApi; import org.opensearch.common.util.concurrent.ThreadContext; import org.opensearch.identity.NamedPrincipal; import org.opensearch.identity.Subject; @@ -26,10 +27,11 @@ * * @opensearch.internal */ +@InternalApi public class NoopPluginSubject implements Subject { private final ThreadPool threadPool; - public NoopPluginSubject(ThreadPool threadPool) { + NoopPluginSubject(ThreadPool threadPool) { super(); this.threadPool = threadPool; } diff --git a/server/src/test/java/org/opensearch/identity/PluginSubjectTests.java b/server/src/test/java/org/opensearch/identity/noop/NoopPluginSubjectTests.java similarity index 89% rename from server/src/test/java/org/opensearch/identity/PluginSubjectTests.java rename to server/src/test/java/org/opensearch/identity/noop/NoopPluginSubjectTests.java index 8cb57b7277fb5..3756d94195687 100644 --- a/server/src/test/java/org/opensearch/identity/PluginSubjectTests.java +++ b/server/src/test/java/org/opensearch/identity/noop/NoopPluginSubjectTests.java @@ -6,10 +6,12 @@ * compatible open source license. */ -package org.opensearch.identity; +package org.opensearch.identity.noop; import org.opensearch.common.settings.Settings; -import org.opensearch.identity.noop.NoopPluginSubject; +import org.opensearch.identity.IdentityService; +import org.opensearch.identity.NamedPrincipal; +import org.opensearch.identity.Subject; import org.opensearch.plugins.IdentityAwarePlugin; import org.opensearch.plugins.Plugin; import org.opensearch.test.OpenSearchTestCase; @@ -20,7 +22,7 @@ import static org.hamcrest.Matchers.equalTo; -public class PluginSubjectTests extends OpenSearchTestCase { +public class NoopPluginSubjectTests extends OpenSearchTestCase { public static class TestPlugin extends Plugin implements IdentityAwarePlugin { private Subject subject;