forked from opensearch-project/OpenSearch
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add runAs to Subject interface and introduce IdentityAwarePlugin exte…
…nsion point (opensearch-project#14630) * Create ExecutionContext and show example with ActionPluginProxy Signed-off-by: Craig Perkins <[email protected]> * Only allow core to set the ExecutionContext Signed-off-by: Craig Perkins <[email protected]> * WIP on plugin aware thread context Signed-off-by: Craig Perkins <[email protected]> * Plugin Aware API Handling Signed-off-by: Craig Perkins <[email protected]> * Add test to verify that ExecutionContext is being populated during RestHandling Signed-off-by: Craig Perkins <[email protected]> * Clear context in a finally block Signed-off-by: Craig Perkins <[email protected]> * Create switchContext method in ThreadContext and make pluginExecutionStack a stack Signed-off-by: Craig Perkins <[email protected]> * WIP on plugin aware stash context Signed-off-by: Craig Perkins <[email protected]> * Create class called PluginAwareNodeClient that provides a method called switchContext Signed-off-by: Craig Perkins <[email protected]> * Remove ExecutionContext class Signed-off-by: Craig Perkins <[email protected]> * Update javadoc Signed-off-by: Craig Perkins <[email protected]> * Change createComponents to take in PluginAwareNodeClient Signed-off-by: Craig Perkins <[email protected]> * Update all instances of createComponents Signed-off-by: Craig Perkins <[email protected]> * Initialize clients Signed-off-by: Craig Perkins <[email protected]> * Remove casting Signed-off-by: Craig Perkins <[email protected]> * WIP on notion of ContextSwitcher Signed-off-by: Craig Perkins <[email protected]> * Make stashContext package-private Signed-off-by: Craig Perkins <[email protected]> * Make markAsSystemContext package-private Signed-off-by: Craig Perkins <[email protected]> * Add javadoc on param Signed-off-by: Craig Perkins <[email protected]> * Remove SystemContextSwitcher Signed-off-by: Craig Perkins <[email protected]> * Merge with main Signed-off-by: Craig Perkins <[email protected]> * Cleanup Signed-off-by: Craig Perkins <[email protected]> * Remove SystemIndexFilter Signed-off-by: Craig Perkins <[email protected]> * Add notion of Forbidden Headers to the ThreadContext Signed-off-by: Craig Perkins <[email protected]> * Fix tests Signed-off-by: Craig Perkins <[email protected]> * Fix test Signed-off-by: Craig Perkins <[email protected]> * Add method to initialize plugins Signed-off-by: Craig Perkins <[email protected]> * Create concept of pluginNodeClient that can be used for executing transport actions as the plugin Signed-off-by: Craig Perkins <[email protected]> * Add test Signed-off-by: Craig Perkins <[email protected]> * Add another test for setPluginNodeClient Signed-off-by: Craig Perkins <[email protected]> * Remove newline Signed-off-by: Craig Perkins <[email protected]> * Add another test Signed-off-by: Craig Perkins <[email protected]> * Subject.runAs and introduce PluginSubject Signed-off-by: Craig Perkins <[email protected]> * Do nothing when runAs is called for ShiroSubject and NoopSubject Signed-off-by: Craig Perkins <[email protected]> * Remove extraneous changes Signed-off-by: Craig Perkins <[email protected]> * Test all methods in PluginSubject Signed-off-by: Craig Perkins <[email protected]> * Pass a Callable to runAs Signed-off-by: Craig Perkins <[email protected]> * Update import Signed-off-by: Craig Perkins <[email protected]> * Simplify PR, make NoopPluginSubject and introduce IdentityAwarePlugin Signed-off-by: Craig Perkins <[email protected]> * Add final Signed-off-by: Craig Perkins <[email protected]> * Remove server dependency Signed-off-by: Craig Perkins <[email protected]> * Remove AbstractSubject Signed-off-by: Craig Perkins <[email protected]> * Remove unnecessary changes Signed-off-by: Craig Perkins <[email protected]> * Add javadoc to NoopPluginSubject Signed-off-by: Craig Perkins <[email protected]> * Rename to assignSubject Signed-off-by: Craig Perkins <[email protected]> * Add experimental label Signed-off-by: Craig Perkins <[email protected]> * Add getPluginSubject(plugin) to IdentityPlugin Signed-off-by: Craig Perkins <[email protected]> * Make runAs generic Signed-off-by: Craig Perkins <[email protected]> * package-private constructor Signed-off-by: Craig Perkins <[email protected]> * Move IdentityAwarePlugin initialization Signed-off-by: Craig Perkins <[email protected]> * Create separate PluginSubject interface Signed-off-by: Craig Perkins <[email protected]> * Remove authenticate method Signed-off-by: Craig Perkins <[email protected]> * Remove import Signed-off-by: Craig Perkins <[email protected]> * Separate UserSubject and PluginSubject Signed-off-by: Craig Perkins <[email protected]> * Terminate TestThreadPool Signed-off-by: Craig Perkins <[email protected]> * mock ThreadPool in RestSendToExtensionActionTests Signed-off-by: Craig Perkins <[email protected]> * Fix Thread leak Signed-off-by: Craig Perkins <[email protected]> * Add to CHANGELOG Signed-off-by: Craig Perkins <[email protected]> * Rename to getCurrentSubject Signed-off-by: Craig Perkins <[email protected]> * Add type check Signed-off-by: Craig Perkins <[email protected]> * Rename to pluginSubject Signed-off-by: Craig Perkins <[email protected]> * Add runAs to ActionRequest and surround doExecute in AbstractClient Signed-off-by: Craig Perkins <[email protected]> * Return this Signed-off-by: Craig Perkins <[email protected]> * Switch back to void Signed-off-by: Craig Perkins <[email protected]> * Revert change to ActionRequest Signed-off-by: Craig Perkins <[email protected]> --------- Signed-off-by: Craig Perkins <[email protected]>
- Loading branch information
Showing
32 changed files
with
423 additions
and
63 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
plugins/identity-shiro/src/main/java/org/opensearch/identity/shiro/ShiroPluginSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity.shiro; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
import org.opensearch.common.util.concurrent.ThreadContext; | ||
import org.opensearch.identity.NamedPrincipal; | ||
import org.opensearch.identity.PluginSubject; | ||
import org.opensearch.threadpool.ThreadPool; | ||
|
||
import java.security.Principal; | ||
import java.util.concurrent.Callable; | ||
|
||
/** | ||
* Implementation of subject that is always authenticated | ||
* <p> | ||
* This class and related classes in this package will not return nulls or fail permissions checks | ||
* | ||
* This class is used by the ShiroIdentityPlugin to initialize IdentityAwarePlugins | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public class ShiroPluginSubject implements PluginSubject { | ||
private final ThreadPool threadPool; | ||
|
||
ShiroPluginSubject(ThreadPool threadPool) { | ||
super(); | ||
this.threadPool = threadPool; | ||
} | ||
|
||
@Override | ||
public Principal getPrincipal() { | ||
return NamedPrincipal.UNAUTHENTICATED; | ||
} | ||
|
||
@Override | ||
public <T> T runAs(Callable<T> callable) throws Exception { | ||
try (ThreadContext.StoredContext ctx = threadPool.getThreadContext().stashContext()) { | ||
return callable.call(); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 19 additions & 0 deletions
19
server/src/main/java/org/opensearch/identity/PluginSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
|
||
/** | ||
* Similar to {@link Subject}, but represents a plugin executing actions | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public interface PluginSubject extends Subject {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
server/src/main/java/org/opensearch/identity/UserSubject.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
*/ | ||
|
||
package org.opensearch.identity; | ||
|
||
import org.opensearch.common.annotation.ExperimentalApi; | ||
import org.opensearch.identity.tokens.AuthToken; | ||
|
||
/** | ||
* An instance of a subject representing a User. UserSubjects must pass credentials for authentication. | ||
* | ||
* @opensearch.experimental | ||
*/ | ||
@ExperimentalApi | ||
public interface UserSubject extends Subject { | ||
/** | ||
* Authenticate via an auth token | ||
* throws UnsupportedAuthenticationMethod | ||
* throws InvalidAuthenticationToken | ||
* throws SubjectNotFound | ||
* throws SubjectDisabled | ||
*/ | ||
void authenticate(final AuthToken token); | ||
} |
Oops, something went wrong.