From 98f7995671654454e9225ddc34a4da8436f0caf1 Mon Sep 17 00:00:00 2001 From: Craig Perkins Date: Mon, 11 Nov 2024 15:00:02 -0500 Subject: [PATCH] Security subject rebase Signed-off-by: Craig Perkins --- .../opensearch/security/SystemIndexTests.java | 2 + .../IndexDocumentIntoSystemIndexAction.java | 2 +- .../plugin/RunClusterHealthAction.java | 2 +- ...ortIndexDocumentIntoSystemIndexAction.java | 2 + .../privileges/ActionPrivilegesTest.java | 3 +- .../RestEndpointPermissionTests.java | 2 - .../security/OpenSearchSecurityPlugin.java | 8 ++- .../security/filter/SecurityFilter.java | 5 ++ .../ContextProvidingPluginSubject.java | 5 +- .../security/privileges/ActionPrivileges.java | 63 +++++++++++++++++-- .../privileges/PrivilegesEvaluator.java | 43 +++++++++++-- .../PrivilegesEvaluatorResponse.java | 6 +- .../privileges/SnapshotRestoreEvaluator.java | 1 - .../SystemIndexAccessEvaluator.java | 8 +-- .../securityconf/InMemorySecurityRoles.java | 20 ------ .../securityconf/InMemorySecurityRolesV7.java | 37 ----------- .../SystemIndexAccessEvaluatorTest.java | 8 --- 17 files changed, 123 insertions(+), 94 deletions(-) delete mode 100644 src/main/java/org/opensearch/security/securityconf/InMemorySecurityRoles.java delete mode 100644 src/main/java/org/opensearch/security/securityconf/InMemorySecurityRolesV7.java diff --git a/src/integrationTest/java/org/opensearch/security/SystemIndexTests.java b/src/integrationTest/java/org/opensearch/security/SystemIndexTests.java index 0c77cf43f6..a131bb9891 100644 --- a/src/integrationTest/java/org/opensearch/security/SystemIndexTests.java +++ b/src/integrationTest/java/org/opensearch/security/SystemIndexTests.java @@ -99,6 +99,8 @@ public void testPluginShouldBeAbleToIndexDocumentIntoItsSystemIndex() { try (TestRestClient client = cluster.getRestClient(USER_ADMIN)) { HttpResponse response = client.put("try-create-and-index/" + SYSTEM_INDEX_1); + System.out.println("response: " + response.getBody()); + assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus())); assertThat(response.getBody(), containsString(SystemIndexPlugin1.class.getCanonicalName())); } diff --git a/src/integrationTest/java/org/opensearch/security/plugin/IndexDocumentIntoSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/plugin/IndexDocumentIntoSystemIndexAction.java index 8621f2a609..9a60de201c 100644 --- a/src/integrationTest/java/org/opensearch/security/plugin/IndexDocumentIntoSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/plugin/IndexDocumentIntoSystemIndexAction.java @@ -14,7 +14,7 @@ public class IndexDocumentIntoSystemIndexAction extends ActionType { public static final IndexDocumentIntoSystemIndexAction INSTANCE = new IndexDocumentIntoSystemIndexAction(); - public static final String NAME = "mock:systemindex/index"; + public static final String NAME = "cluster:mock/systemindex/index"; private IndexDocumentIntoSystemIndexAction() { super(NAME, IndexDocumentIntoSystemIndexResponse::new); diff --git a/src/integrationTest/java/org/opensearch/security/plugin/RunClusterHealthAction.java b/src/integrationTest/java/org/opensearch/security/plugin/RunClusterHealthAction.java index b819465a35..4234879bb8 100644 --- a/src/integrationTest/java/org/opensearch/security/plugin/RunClusterHealthAction.java +++ b/src/integrationTest/java/org/opensearch/security/plugin/RunClusterHealthAction.java @@ -14,7 +14,7 @@ public class RunClusterHealthAction extends ActionType { public static final RunClusterHealthAction INSTANCE = new RunClusterHealthAction(); - public static final String NAME = "mock:cluster/monitor/health"; + public static final String NAME = "cluster:mock/monitor/health"; private RunClusterHealthAction() { super(NAME, RunClusterHealthResponse::new); diff --git a/src/integrationTest/java/org/opensearch/security/plugin/TransportIndexDocumentIntoSystemIndexAction.java b/src/integrationTest/java/org/opensearch/security/plugin/TransportIndexDocumentIntoSystemIndexAction.java index c549da7809..19ec06ca7d 100644 --- a/src/integrationTest/java/org/opensearch/security/plugin/TransportIndexDocumentIntoSystemIndexAction.java +++ b/src/integrationTest/java/org/opensearch/security/plugin/TransportIndexDocumentIntoSystemIndexAction.java @@ -62,6 +62,7 @@ protected void doExecute( String indexName = request.getIndexName(); String runAs = request.getRunAs(); Subject userSubject = identityService.getCurrentSubject(); + System.out.println("User Subject: " + userSubject); try { contextSwitcher.runAs(() -> { client.admin().indices().create(new CreateIndexRequest(indexName), ActionListener.wrap(r -> { @@ -83,6 +84,7 @@ protected void doExecute( .source("{\"content\":1}", XContentType.JSON), ActionListener.wrap(r2 -> { User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER); + System.out.println("Test User: " + user); actionListener.onResponse(new IndexDocumentIntoSystemIndexResponse(true, user.getName())); }, actionListener::onFailure) ); diff --git a/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java b/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java index 70621acdbb..b23e47c314 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/ActionPrivilegesTest.java @@ -447,7 +447,8 @@ public IndicesAndAliases(IndexSpec indexSpec, ActionSpec actionSpec, Statefulnes Settings.EMPTY, WellKnownActions.CLUSTER_ACTIONS, WellKnownActions.INDEX_ACTIONS, - WellKnownActions.INDEX_ACTIONS + WellKnownActions.INDEX_ACTIONS, + Map.of() ); if (statefulness == Statefulness.STATEFUL) { diff --git a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java index c424891a8c..1e61aa0206 100644 --- a/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java +++ b/src/integrationTest/java/org/opensearch/security/privileges/RestEndpointPermissionTests.java @@ -32,7 +32,6 @@ import java.util.Collection; import java.util.Locale; import java.util.Map; -import java.util.Set; import java.util.stream.Collectors; import java.util.stream.Stream; @@ -57,7 +56,6 @@ import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.ENDPOINTS_WITH_PERMISSIONS; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.RELOAD_CERTS_ACTION; import static org.opensearch.security.dlic.rest.api.RestApiAdminPrivilegesEvaluator.SECURITY_CONFIG_UPDATE; -import static org.junit.Assert.assertTrue; /** * Moved from https://github.com/opensearch-project/security/blob/54361468f5c4b3a57f3ecffaf1bbe8dccee562be/src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java index 7680398468..39e0e0a676 100644 --- a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java +++ b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java @@ -43,6 +43,7 @@ import java.util.Collection; import java.util.Collections; import java.util.HashMap; +import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Objects; @@ -69,6 +70,7 @@ import org.opensearch.SpecialPermission; import org.opensearch.Version; import org.opensearch.action.ActionRequest; +import org.opensearch.action.bulk.BulkAction; import org.opensearch.action.search.PitService; import org.opensearch.action.search.SearchScrollAction; import org.opensearch.action.support.ActionFilter; @@ -2126,7 +2128,11 @@ public SecurityTokenManager getTokenManager() { @Override public PluginSubject getPluginSubject(Plugin plugin) { - return new ContextProvidingPluginSubject(threadPool, settings, plugin); + Set clusterActions = new HashSet<>(); + clusterActions.add(BulkAction.NAME); + PluginSubject subject = new ContextProvidingPluginSubject(threadPool, settings, plugin); + sf.updatePluginToClusterAction(subject.getPrincipal().getName(), clusterActions); + return subject; } @Override diff --git a/src/main/java/org/opensearch/security/filter/SecurityFilter.java b/src/main/java/org/opensearch/security/filter/SecurityFilter.java index 3670bf8319..31ea5ac259 100644 --- a/src/main/java/org/opensearch/security/filter/SecurityFilter.java +++ b/src/main/java/org/opensearch/security/filter/SecurityFilter.java @@ -453,6 +453,7 @@ public void onFailure(Exception e) { }); } } else { + System.out.println("No permissions for " + user); auditLog.logMissingPrivileges(action, request, task); String err; if (!pres.getMissingSecurityRoles().isEmpty()) { @@ -529,6 +530,10 @@ private boolean checkImmutableIndices(Object request, ActionListener listener) { return false; } + public void updatePluginToClusterAction(String pluginIdentifier, Set clusterActions) { + evalp.updatePluginToClusterActions(pluginIdentifier, clusterActions); + } + private boolean isRequestIndexImmutable(Object request) { final IndexResolverReplacer.Resolved resolved = indexResolverReplacer.resolveRequest(request); if (resolved.isLocalAll()) { diff --git a/src/main/java/org/opensearch/security/identity/ContextProvidingPluginSubject.java b/src/main/java/org/opensearch/security/identity/ContextProvidingPluginSubject.java index 7a096abf08..ab6dddceba 100644 --- a/src/main/java/org/opensearch/security/identity/ContextProvidingPluginSubject.java +++ b/src/main/java/org/opensearch/security/identity/ContextProvidingPluginSubject.java @@ -29,10 +29,11 @@ public class ContextProvidingPluginSubject implements PluginSubject { public ContextProvidingPluginSubject(ThreadPool threadPool, Settings settings, Plugin plugin) { super(); this.threadPool = threadPool; - this.pluginPrincipal = new NamedPrincipal(plugin.getClass().getCanonicalName()); + String principal = "plugin:" + plugin.getClass().getCanonicalName(); + this.pluginPrincipal = new NamedPrincipal(principal); // Convention for plugin username. Prefixed with 'plugin:'. ':' is forbidden from usernames, so this // guarantees that a user with this username cannot be created by other means. - this.pluginUser = new User("plugin:" + pluginPrincipal.getName()); + this.pluginUser = new User(principal); } @Override diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java index 32b4bf3825..389926179d 100644 --- a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java +++ b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java @@ -113,9 +113,10 @@ public ActionPrivileges( Settings settings, ImmutableSet wellKnownClusterActions, ImmutableSet wellKnownIndexActions, - ImmutableSet explicitlyRequiredIndexActions + ImmutableSet explicitlyRequiredIndexActions, + Map> pluginToClusterActions ) { - this.cluster = new ClusterPrivileges(roles, actionGroups, wellKnownClusterActions); + this.cluster = new ClusterPrivileges(roles, actionGroups, wellKnownClusterActions, pluginToClusterActions); this.index = new IndexPrivileges(roles, actionGroups, wellKnownIndexActions, explicitlyRequiredIndexActions); this.roles = roles; this.actionGroups = actionGroups; @@ -142,7 +143,27 @@ public ActionPrivileges( settings, WellKnownActions.CLUSTER_ACTIONS, WellKnownActions.INDEX_ACTIONS, - WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS + WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS, + Map.of() + ); + } + + public ActionPrivileges( + SecurityDynamicConfiguration roles, + FlattenedActionGroups actionGroups, + Supplier> indexMetadataSupplier, + Settings settings, + Map> pluginToClusterActions + ) { + this( + roles, + actionGroups, + indexMetadataSupplier, + settings, + WellKnownActions.CLUSTER_ACTIONS, + WellKnownActions.INDEX_ACTIONS, + WellKnownActions.EXPLICITLY_REQUIRED_INDEX_ACTIONS, + pluginToClusterActions ); } @@ -375,6 +396,8 @@ static class ClusterPrivileges { */ private final ImmutableMap rolesToActionMatcher; + private final ImmutableMap usersToActionMatcher; + private final ImmutableSet wellKnownClusterActions; /** @@ -388,7 +411,8 @@ static class ClusterPrivileges { ClusterPrivileges( SecurityDynamicConfiguration roles, FlattenedActionGroups actionGroups, - ImmutableSet wellKnownClusterActions + ImmutableSet wellKnownClusterActions, + Map> pluginToClusterActions ) { DeduplicatingCompactSubSetBuilder roleSetBuilder = new DeduplicatingCompactSubSetBuilder<>( roles.getCEntries().keySet() @@ -396,6 +420,7 @@ static class ClusterPrivileges { Map> actionToRoles = new HashMap<>(); ImmutableSet.Builder rolesWithWildcardPermissions = ImmutableSet.builder(); ImmutableMap.Builder rolesToActionMatcher = ImmutableMap.builder(); + ImmutableMap.Builder usersToActionMatcher = ImmutableMap.builder(); for (Map.Entry entry : roles.getCEntries().entrySet()) { try { @@ -445,6 +470,14 @@ static class ClusterPrivileges { } } + if (pluginToClusterActions != null) { + for (String pluginIdentifier : pluginToClusterActions.keySet()) { + Set clusterActions = pluginToClusterActions.get(pluginIdentifier); + WildcardMatcher matcher = WildcardMatcher.from(clusterActions); + usersToActionMatcher.put(pluginIdentifier, matcher); + } + } + DeduplicatingCompactSubSetBuilder.Completed completedRoleSetBuilder = roleSetBuilder.build(); this.actionToRoles = actionToRoles.entrySet() @@ -452,6 +485,7 @@ static class ClusterPrivileges { .collect(ImmutableMap.toImmutableMap(Map.Entry::getKey, entry -> entry.getValue().build(completedRoleSetBuilder))); this.rolesWithWildcardPermissions = rolesWithWildcardPermissions.build(); this.rolesToActionMatcher = rolesToActionMatcher.build(); + this.usersToActionMatcher = usersToActionMatcher.build(); this.wellKnownClusterActions = wellKnownClusterActions; } @@ -485,6 +519,17 @@ PrivilegesEvaluatorResponse providesPrivilege(PrivilegesEvaluationContext contex } } + System.out.println("context: " + context); + System.out.println("usersToActionMatcher: " + usersToActionMatcher); + + // 4: If plugin is performing the action, check if plugin has permission + if (context.getUser().isPluginUser()) { + WildcardMatcher matcher = this.usersToActionMatcher.get(context.getUser().getName()); + if (matcher != null && matcher.test(action)) { + return PrivilegesEvaluatorResponse.ok(); + } + } + return PrivilegesEvaluatorResponse.insufficient(action, context); } @@ -554,6 +599,16 @@ PrivilegesEvaluatorResponse providesAnyPrivilege(PrivilegesEvaluationContext con } } + // 4: If plugin is performing the action, check if plugin has permission + if (context.getUser().isPluginUser()) { + WildcardMatcher matcher = this.usersToActionMatcher.get(context.getUser().getName()); + for (String action : actions) { + if (matcher != null && matcher.test(action)) { + return PrivilegesEvaluatorResponse.ok(); + } + } + } + if (actions.size() == 1) { return PrivilegesEvaluatorResponse.insufficient(actions.iterator().next(), context); } else { diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index cda5755ad6..a2e863b0b2 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -143,6 +143,7 @@ public class PrivilegesEvaluator { private final boolean checkSnapshotRestoreWritePrivileges; private final ClusterInfoHolder clusterInfoHolder; + private final ConfigurationRepository configurationRepository; private ConfigModel configModel; private final IndexResolverReplacer irr; private final SnapshotRestoreEvaluator snapshotRestoreEvaluator; @@ -153,6 +154,7 @@ public class PrivilegesEvaluator { private DynamicConfigModel dcm; private final NamedXContentRegistry namedXContentRegistry; private final Settings settings; + private final Map> pluginToClusterActions; private final AtomicReference actionPrivileges = new AtomicReference<>(); public PrivilegesEvaluator( @@ -176,6 +178,7 @@ public PrivilegesEvaluator( this.threadContext = threadContext; this.privilegesInterceptor = privilegesInterceptor; + this.pluginToClusterActions = new HashMap<>(); this.clusterStateSupplier = clusterStateSupplier; this.settings = settings; @@ -192,6 +195,7 @@ public PrivilegesEvaluator( termsAggregationEvaluator = new TermsAggregationEvaluator(); pitPrivilegesEvaluator = new PitPrivilegesEvaluator(); this.namedXContentRegistry = namedXContentRegistry; + this.configurationRepository = configurationRepository; if (configurationRepository != null) { configurationRepository.subscribeOnChange(configMap -> { @@ -228,11 +232,14 @@ void updateConfiguration( ? DynamicConfigFactory.addStatics(actionGroupsConfiguration.clone()) : DynamicConfigFactory.addStatics(SecurityDynamicConfiguration.empty(CType.ACTIONGROUPS)); FlattenedActionGroups flattenedActionGroups = new FlattenedActionGroups(actionGroupsWithStatics); + System.out.println("updateConfiguration"); + System.out.println("pluginToClusterActions: " + pluginToClusterActions); ActionPrivileges actionPrivileges = new ActionPrivileges( DynamicConfigFactory.addStatics(rolesConfiguration.clone()), flattenedActionGroups, () -> clusterStateSupplier.get().metadata().getIndicesLookup(), - settings + settings, + pluginToClusterActions ); Metadata metadata = clusterStateSupplier.get().metadata(); actionPrivileges.updateStatefulIndexPrivileges(metadata.getIndicesLookup(), metadata.version()); @@ -389,23 +396,44 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context) // check snapshot/restore requests if (snapshotRestoreEvaluator.evaluate(request, task, action0, clusterInfoHolder, presponse).isComplete()) { - return presponse; + if (!presponse.isAllowed()) { + return PrivilegesEvaluatorResponse.insufficient(action0, context); + } else { + return presponse; + } } + System.out.println("Calling systemIndexAccessEvaluator.evaluate"); + System.out.println("user: " + user); + System.out.println("action: " + action0); // Security index access if (systemIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, context, actionPrivileges, user) .isComplete()) { - return presponse; + System.out.println("Returning presponse: " + presponse); + if (!presponse.isAllowed()) { + return PrivilegesEvaluatorResponse.insufficient(action0, context); + } else { + return presponse; + } } + System.out.println("After systemIndexAccessEvaluator.evaluate"); // Protected index access if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, mappedRoles).isComplete()) { - return presponse; + if (!presponse.isAllowed()) { + return PrivilegesEvaluatorResponse.insufficient(action0, context); + } else { + return presponse; + } } // check access for point in time requests if (pitPrivilegesEvaluator.evaluate(request, context, actionPrivileges, action0, presponse, irr).isComplete()) { - return presponse; + if (!presponse.isAllowed()) { + return PrivilegesEvaluatorResponse.insufficient(action0, context); + } else { + return presponse; + } } final boolean dnfofEnabled = dcm.isDnfofEnabled(); @@ -532,6 +560,7 @@ public PrivilegesEvaluatorResponse evaluate(PrivilegesEvaluationContext context) boolean dnfofPossible = dnfofEnabled && DNFOF_MATCHER.test(action0); + System.out.println("allIndexPermsRequired: " + allIndexPermsRequired); presponse = actionPrivileges.hasIndexPrivilege(context, allIndexPermsRequired, requestedResolved); if (presponse.isPartiallyOk()) { @@ -839,4 +868,8 @@ private List toString(List aliases) { return Collections.unmodifiableList(ret); } + + public void updatePluginToClusterActions(String pluginIdentifier, Set clusterActions) { + pluginToClusterActions.put(pluginIdentifier, clusterActions); + } } diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java index 54eeda3191..98840ac5a6 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluatorResponse.java @@ -133,10 +133,6 @@ public String getPrivilegeMatrix() { return result; } - public boolean addMissingPrivileges(String action) { - return missingPrivileges.add(action); - } - public Set getMissingSecurityRoles() { return new HashSet<>(missingSecurityRoles); } @@ -192,6 +188,7 @@ public static PrivilegesEvaluatorResponse partiallyOk( } public static PrivilegesEvaluatorResponse insufficient(String missingPrivilege, PrivilegesEvaluationContext context) { + System.out.println("missingPrivilege: " + missingPrivilege); PrivilegesEvaluatorResponse response = new PrivilegesEvaluatorResponse(); response.indexToActionCheckTable = CheckTable.create(ImmutableSet.of("_"), ImmutableSet.of(missingPrivilege)); return response; @@ -201,6 +198,7 @@ public static PrivilegesEvaluatorResponse insufficient( CheckTable indexToActionCheckTable, PrivilegesEvaluationContext context ) { + System.out.println("indexToActionCheckTable: " + indexToActionCheckTable); PrivilegesEvaluatorResponse response = new PrivilegesEvaluatorResponse(); response.indexToActionCheckTable = indexToActionCheckTable; return response; diff --git a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java index 8a11e433e8..23612e1a52 100644 --- a/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SnapshotRestoreEvaluator.java @@ -109,7 +109,6 @@ public PrivilegesEvaluatorResponse evaluate( auditLog.logSecurityIndexAttempt(request, action, task); log.warn("{} for '{}' as source index is not allowed", action, securityIndex); presponse.allowed = false; - presponse.addMissingPrivileges(action); return presponse.markComplete(); } return presponse; diff --git a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java index 0ebac48974..8fc2cd8539 100644 --- a/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/SystemIndexAccessEvaluator.java @@ -268,7 +268,6 @@ private void evaluateSystemIndicesAccess( log.debug("Service account cannot access regular indices: {}", regularIndices); } presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); return; } @@ -285,7 +284,6 @@ private void evaluateSystemIndicesAccess( ); } presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); return; } else if (containsSystemIndex @@ -300,7 +298,6 @@ private void evaluateSystemIndicesAccess( ); } presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); return; } @@ -325,7 +322,7 @@ private void evaluateSystemIndicesAccess( ); } presponse.allowed = false; - presponse.addMissingPrivileges(action); + presponse.getMissingPrivileges(); presponse.markComplete(); } return; @@ -348,7 +345,6 @@ private void evaluateSystemIndicesAccess( auditLog.logSecurityIndexAttempt(request, action, task); log.warn("{} for '_all' indices is not allowed for a regular user", action); presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); } } @@ -363,7 +359,6 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) { log.debug("Filtered '{}' but resulting list is empty", securityIndex); } presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); return; } @@ -376,7 +371,6 @@ else if (containsSystemIndex && !isSystemIndexPermissionEnabled) { final String foundSystemIndexes = String.join(", ", getAllSystemIndices(requestedResolved)); log.warn("{} for '{}' index is not allowed for a regular user", action, foundSystemIndexes); presponse.allowed = false; - presponse.addMissingPrivileges(action); presponse.markComplete(); } } diff --git a/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRoles.java b/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRoles.java deleted file mode 100644 index 934533788f..0000000000 --- a/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRoles.java +++ /dev/null @@ -1,20 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.securityconf; - -import java.util.Map; -import java.util.Set; - -public interface InMemorySecurityRoles extends SecurityRoles { - - void addSecurityRole(String roleName, Set clusterPerms, Map> indexPatternToAllowedActions); -} diff --git a/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRolesV7.java b/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRolesV7.java deleted file mode 100644 index da5a07298c..0000000000 --- a/src/main/java/org/opensearch/security/securityconf/InMemorySecurityRolesV7.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - * - * Modifications Copyright OpenSearch Contributors. See - * GitHub history for details. - */ - -package org.opensearch.security.securityconf; - -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.opensearch.security.support.WildcardMatcher; - -public class InMemorySecurityRolesV7 extends ConfigModelV7.SecurityRoles implements InMemorySecurityRoles { - - public InMemorySecurityRolesV7(int roleCount) { - super(roleCount); - } - - @Override - public void addSecurityRole(String roleName, Set clusterPerms, Map> indexPatternToAllowedActions) { - Set ipatterns = new HashSet<>(); - for (Map.Entry> entry : indexPatternToAllowedActions.entrySet()) { - ConfigModelV7.IndexPattern idxPattern = new ConfigModelV7.IndexPattern(entry.getKey()); - idxPattern.addPerm(entry.getValue()); - ipatterns.add(idxPattern); - } - ConfigModelV7.SecurityRole role = new ConfigModelV7.SecurityRole(roleName, ipatterns, WildcardMatcher.from(clusterPerms)); - roles.add(role); - } -} diff --git a/src/test/java/org/opensearch/security/privileges/SystemIndexAccessEvaluatorTest.java b/src/test/java/org/opensearch/security/privileges/SystemIndexAccessEvaluatorTest.java index cbb004be17..878033fd5c 100644 --- a/src/test/java/org/opensearch/security/privileges/SystemIndexAccessEvaluatorTest.java +++ b/src/test/java/org/opensearch/security/privileges/SystemIndexAccessEvaluatorTest.java @@ -393,7 +393,6 @@ public void testDisableCacheOrRealtimeOnSystemIndex_systemIndexPermissionEnabled ); verify(log).debug("Disable search request cache for this request"); verify(log).debug("Disable realtime for this request"); - verify(presponse, times(3)).addMissingPrivileges(UNPROTECTED_ACTION); } @Test @@ -427,7 +426,6 @@ public void testProtectedActionLocalAll_systemIndexDisabled() { verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '_all' indices is not allowed for a regular user", "indices:data/write"); } @@ -442,7 +440,6 @@ public void testProtectedActionLocalAll_systemIndexPermissionDisabled() { verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '_all' indices is not allowed for a regular user", PROTECTED_ACTION); } @@ -457,7 +454,6 @@ public void testProtectedActionLocalAll_systemIndexPermissionEnabled() { verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '_all' indices is not allowed for a regular user", PROTECTED_ACTION); } @@ -516,7 +512,6 @@ public void testProtectedActionOnSystemIndex_systemIndexPermissionDisabled() { verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '{}' index is not allowed for a regular user", PROTECTED_ACTION, TEST_SYSTEM_INDEX); } @@ -563,7 +558,6 @@ public void testProtectedActionOnProtectedSystemIndex_systemIndexDisabled() { verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '{}' index is not allowed for a regular user", PROTECTED_ACTION, SECURITY_INDEX); @@ -579,7 +573,6 @@ public void testProtectedActionOnProtectedSystemIndex_systemIndexPermissionDisab verify(auditLog).logSecurityIndexAttempt(request, PROTECTED_ACTION, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(PROTECTED_ACTION); verify(presponse).markComplete(); verify(log).warn("{} for '{}' index is not allowed for a regular user", PROTECTED_ACTION, SECURITY_INDEX); @@ -615,7 +608,6 @@ private void testSecurityIndexAccess(String action) { verify(auditLog).logSecurityIndexAttempt(request, action, task); assertThat(presponse.allowed, is(false)); - verify(presponse).addMissingPrivileges(action); verify(presponse).markComplete(); verify(log).isInfoEnabled();