opensearch-project · DarshitChanpura · Aug 27, 2024 · Aug 27, 2024 · Aug 30, 2024 · Aug 30, 2024
@@ -0,0 +1,58 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+
+/**
+ * This class contains information on the creator of a resource.
+ * Creator can either be a user or a backend_role.
+ *
+ * @opensearch.experimental
+ */
+public class CreatedBy implements ToXContentFragment {
+
+ private String user;
+
+ private String backendRole;
+
+ public CreatedBy(String user, String backendRole) {
+ this.user = user;
+ this.backendRole = backendRole;
+ }
+
+ public String getBackendRole() {
+ return backendRole;
+ }
+
+ public void setBackendRole(String backendRole) {
+ this.backendRole = backendRole;
+ }
+
+ public String getUser() {
+ return user;
+ }
+
+ public void setUser(String user) {
+ this.user = user;
+ }
+
+ @Override
+ public String toString() {
+ return "CreatedBy {" + "user='" + user + '\'' + ", backendRole='" + backendRole + '\'' + '}';
+ }
+
+ @Override
+ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+ return builder.startObject().field("user", user).field("backend_role", backendRole).endObject();
+ }
+}
@@ -0,0 +1,23 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+/**
+ * This enum contains the type of entities a resource can be shared with.
+ *
+ * @opensearch.experimental
+ */
+public enum EntityType {
+
+ USERS,
+
+ ROLES,
+
+ BACKEND_ROLES,
+}
@@ -0,0 +1,59 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.OpenSearchException;
+import org.opensearch.plugins.NoOpResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourceAccessControlPlugin;
+import org.opensearch.plugins.ResourcePlugin;
+
+import java.util.List;
+import java.util.stream.Collectors;
+
+/**
+ * Resource access control for OpenSearch
+ *
+ * @opensearch.experimental
+ * */
+public class ResourceService {
+ private static final Logger log = LogManager.getLogger(ResourceService.class);
+
+ private final ResourceAccessControlPlugin resourceACPlugin;
+ private final List<ResourcePlugin> resourcePlugins;
+
+ public ResourceService(final List<ResourceAccessControlPlugin> resourceACPlugins, List<ResourcePlugin> resourcePlugins) {
+ this.resourcePlugins = resourcePlugins;
+
+ if (resourceACPlugins.isEmpty()) {
+ log.info("Security plugin disabled: Using NoOpResourceAccessControlPlugin");
+ resourceACPlugin = new NoOpResourceAccessControlPlugin();
+ } else if (resourceACPlugins.size() == 1) {
+ log.info("Security plugin enabled: Using OpenSearchSecurityPlugin");
+ resourceACPlugin = resourceACPlugins.get(0);
+ } else {
+ throw new OpenSearchException(
+ "Multiple resource access control plugins are not supported, found: "
+ + resourceACPlugins.stream().map(Object::getClass).map(Class::getName).collect(Collectors.joining(","))
+ );
+ }
+ }
+
+ /**
+ * Gets the current ResourcePlugin to perform authorization
+ */
+ public ResourceAccessControlPlugin getResourceAccessControlPlugin() {
+ return resourceACPlugin;
+ }
+
+ /**
+ * List active plugins that define resources
+ */
+ public List<ResourcePlugin> listResourcePlugins() {
+ return resourcePlugins;
+ }
+}
@@ -0,0 +1,115 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * A document in .resource_sharing index.
+ * Holds information about the resource (obtained from defining plugin's meta-data),
+ * the index which defines the resources, the creator of the resource,
+ * and the information on whom this resource is shared with.
+ *
+ * @opensearch.experimental
+ */
+public class ResourceSharing implements ToXContentFragment {
+
+ private String sourceIdx;
+
+ private String resourceId;
+
+ private CreatedBy createdBy;
+
+ private ShareWith shareWith;
+
+ public ResourceSharing(String sourceIdx, String resourceId, CreatedBy createdBy, ShareWith shareWith) {
+ this.sourceIdx = sourceIdx;
+ this.resourceId = resourceId;
+ this.createdBy = createdBy;
+ this.shareWith = shareWith;
+ }
+
+ public String getSourceIdx() {
+ return sourceIdx;
+ }
+
+ public void setSourceIdx(String sourceIdx) {
+ this.sourceIdx = sourceIdx;
+ }
+
+ public String getResourceId() {
+ return resourceId;
+ }
+
+ public void setResourceId(String resourceId) {
+ this.resourceId = resourceId;
+ }
+
+ public CreatedBy getCreatedBy() {
+ return createdBy;
+ }
+
+ public void setCreatedBy(CreatedBy createdBy) {
+ this.createdBy = createdBy;
+ }
+
+ public ShareWith getShareWith() {
+ return shareWith;
+ }
+
+ public void setShareWith(ShareWith shareWith) {
+ this.shareWith = shareWith;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) return true;
+ if (o == null || getClass() != o.getClass()) return false;
+ ResourceSharing resourceSharing = (ResourceSharing) o;
+ return Objects.equals(getSourceIdx(), resourceSharing.getSourceIdx())
+ && Objects.equals(getResourceId(), resourceSharing.getResourceId())
+ && Objects.equals(getCreatedBy(), resourceSharing.getCreatedBy())
+ && Objects.equals(getShareWith(), resourceSharing.getShareWith());
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(getSourceIdx(), getResourceId(), getCreatedBy(), getShareWith());
+ }
+
+ @Override
+ public String toString() {
+ return "Resource {"
+ + "sourceIdx='"
+ + sourceIdx
+ + '\''
+ + ", resourceId='"
+ + resourceId
+ + '\''
+ + ", createdBy="
+ + createdBy
+ + ", sharedWith="
+ + shareWith
+ + '}';
+ }
+
+ @Override
+ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+ return builder.startObject()
+ .field("source_idx", sourceIdx)
+ .field("resource_id", resourceId)
+ .field("created_by", createdBy)
+ .field("share_with", shareWith)
+ .endObject();
+ }
+}
@@ -0,0 +1,70 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.accesscontrol.resources;
+
+import org.opensearch.core.xcontent.ToXContentFragment;
+import org.opensearch.core.xcontent.XContentBuilder;
+
+import java.io.IOException;
+import java.util.List;
+
+/**
+ * This class contains information about whom a resource is shared with.
+ * It could be a user-name, a role or a backend_role.
+ *
+ * @opensearch.experimental
+ */
+public class ShareWith implements ToXContentFragment {
+
+ private List<String> users;
+
+ private List<String> roles;
+
+ private List<String> backendRoles;
+
+ public ShareWith(List<String> users, List<String> roles, List<String> backendRoles) {
+ this.users = users;
+ this.roles = roles;
+ this.backendRoles = backendRoles;
+ }
+
+ public List<String> getUsers() {
+ return users;
+ }
+
+ public void setUsers(List<String> users) {
+ this.users = users;
+ }
+
+ public List<String> getRoles() {
+ return roles;
+ }
+
+ public void setRoles(List<String> roles) {
+ this.roles = roles;
+ }
+
+ public List<String> getBackendRoles() {
+ return backendRoles;
+ }
+
+ public void setBackendRoles(List<String> backendRoles) {
+ this.backendRoles = backendRoles;
+ }
+
+ @Override
+ public String toString() {
+ return "ShareWith {" + "users=" + users + ", roles=" + roles + ", backendRoles=" + backendRoles + '}';
+ }
+
+ @Override
+ public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
+ return builder.startObject().field("users", users).field("roles", roles).field("backend_roles", backendRoles).endObject();
+ }
+}
@@ -0,0 +1,39 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+/*
+ * Licensed to Elasticsearch under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * Actions that OpenSearch can take either on the data stored on disk or on other nodes.
+ */
+/*
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+/**
+ * This package defines all classes required for Resource Sharing and Access Control
+ */
+package org.opensearch.accesscontrol.resources;