-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[workspace] refactor: refactor the bulk_get handler in permission wrapper when item has permission error #8906
base: main
Are you sure you want to change the base?
[workspace] refactor: refactor the bulk_get handler in permission wrapper when item has permission error #8906
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8906 +/- ##
=======================================
Coverage 60.86% 60.87%
=======================================
Files 3808 3808
Lines 91209 91234 +25
Branches 14410 14416 +6
=======================================
+ Hits 55514 55537 +23
- Misses 32154 32158 +4
+ Partials 3541 3539 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
changelogs/fragments/8906.yml
Outdated
@@ -0,0 +1,2 @@ | |||
fix: | |||
- Index pattern fetch error in discover dataset modal ([#8906](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/8906)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although this PR may could fix #8891, but this is not the direct root cause, so I would suggest to change to refactor: refactor the bulk_get handler in permission wrapper when item has permission error
if (!hasPermission) { | ||
ACLAuditor?.increment(ACLAuditorStateKey.VALIDATE_FAILURE, 1); | ||
throw generateDataSourcePermissionError(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may also don't need to throw Error for this verification.
error: { | ||
error: 'Invalid saved objects permission', | ||
statusCode: 403, | ||
message: 'Permission denied', | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we extract this as a function along with other generatexxxError
functions on the top of this file.
ACLAuditor?.increment( | ||
ACLAuditorStateKey.VALIDATE_SUCCESS, | ||
objectToBulkGet.saved_objects.length | ||
); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This represents all verification are successful, now in the new implementation we may need a flag in the map to indicate whether all objects are passed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the comments, updated.
671af1f
to
2f4dedd
Compare
const hasPermission = this.validateDataSourcePermissions(object, wrapperOptions.request); | ||
if (!hasPermission) { | ||
if ( | ||
!(await this.validateWorkspacesAndSavedObjectsPermissions( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: This validateWorkspacesAndSavedObjectsPermissions
may throw error during permission validation. Shall we need to add a try catch block here to avoid the whole Promise.all
breaking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your comments,updated
a10cf3e
to
d5fb789
Compare
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
Signed-off-by: Qxisylolo <[email protected]>
d5fb789
to
b5dc492
Compare
@@ -196,6 +204,32 @@ export class WorkspaceSavedObjectsClientWrapper { | |||
return hasPermission; | |||
} | |||
|
|||
// Data source is a workspace level object, validate if the request has access to the data source within the requested workspace. | |||
private validateDataSourcePermissions = ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yubonluo Could you please check if this change is compatible with the bulkGet changes you made recently regarding permission check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, the data source validation has been moved to id_consumer_wrapper, you can delete the method from the permission_wrapper.
related PR: https://github.com/opensearch-project/OpenSearch-Dashboards/pull/8888/files#diff-6f4daf9988f5262d2403821efd458faf7157c7e7473ec65a16ae2724a92d6556L209
Description
This pr fixes index pattern fetch error in discover dataset modal by return response with error instead of throwing an error
Screenshot
before:
after:
Testing the changes
Changelog
Check List
yarn test:jest
yarn test:jest_integration