Skip to content

Commit

Permalink
[Manual Backport 2.x] Manually backports auth tokens, service account…
Browse files Browse the repository at this point in the history
…s, and multi tenancy changes (#2737)

* [Extensions] Generate auth tokens for service accounts (#2716)

* Generate auth tokens for service accounts

Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Stephen Crawford <[email protected]>

* Security User Refactor (#2594)

---------

Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Stephen Crawford <[email protected]>

* Backport service account changes

Signed-off-by: Stephen Crawford <[email protected]>

* Update test

Signed-off-by: Stephen Crawford <[email protected]>

* Optimize imports

Signed-off-by: Stephen Crawford <[email protected]>

* Spotless

Signed-off-by: Stephen Crawford <[email protected]>

* fix plugin

Signed-off-by: Stephen Crawford <[email protected]>

* fix whitespace

Signed-off-by: Stephen Crawford <[email protected]>

* Fix multitency config update (#2758)

Moved multi-tenancy to REST API implementation

Signed-off-by: Andrey Pleskach <[email protected]>

* Remove SSLCertsAction

Signed-off-by: Stephen Crawford <[email protected]>

* Fix dependency

Signed-off-by: Stephen Crawford <[email protected]>

* fix tenancy tests

Signed-off-by: Stephen Crawford <[email protected]>

---------

Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Stephen Crawford <[email protected]>
Signed-off-by: Andrey Pleskach <[email protected]>
Co-authored-by: Andrey Pleskach <[email protected]>
  • Loading branch information
stephen-crawford and willyborankin authored May 17, 2023
1 parent dae8f76 commit fa33fc5
Show file tree
Hide file tree
Showing 27 changed files with 1,155 additions and 855 deletions.
34 changes: 22 additions & 12 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,6 @@
import org.opensearch.search.query.QuerySearchResult;
import org.opensearch.security.action.configupdate.ConfigUpdateAction;
import org.opensearch.security.action.configupdate.TransportConfigUpdateAction;
import org.opensearch.security.action.tenancy.TenancyConfigRestHandler;
import org.opensearch.security.action.tenancy.TenancyConfigRetrieveActions;
import org.opensearch.security.action.tenancy.TenancyConfigRetrieveTransportAction;
import org.opensearch.security.action.tenancy.TenancyConfigUpdateAction;
import org.opensearch.security.action.tenancy.TenancyConfigUpdateTransportAction;
import org.opensearch.security.action.whoami.TransportWhoAmIAction;
import org.opensearch.security.action.whoami.WhoAmIAction;
import org.opensearch.security.auditlog.AuditLog;
Expand Down Expand Up @@ -179,6 +174,7 @@
import org.opensearch.security.transport.InterClusterRequestEvaluator;
import org.opensearch.security.transport.SecurityInterceptor;
import org.opensearch.security.user.User;
import org.opensearch.security.user.UserService;
import org.opensearch.tasks.Task;
import org.opensearch.threadpool.ThreadPool;
import org.opensearch.transport.RemoteClusterService;
Expand Down Expand Up @@ -207,6 +203,7 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
private volatile SecurityRestFilter securityRestHandler;
private volatile SecurityInterceptor si;
private volatile PrivilegesEvaluator evaluator;
private volatile UserService userService;
private volatile ThreadPool threadPool;
private volatile ConfigurationRepository cr;
private volatile AdminDNs adminDns;
Expand Down Expand Up @@ -364,7 +361,9 @@ public List<Path> run() {
final List<String> files = AccessController.doPrivileged(new PrivilegedAction<List<String>>() {
@Override
public List<String> run() {

final Path confPath = new Environment(settings, configPath).configFile().toAbsolutePath();

if(Files.isDirectory(confPath, LinkOption.NOFOLLOW_LINKS)) {
try (Stream<Path> s = Files.walk(confPath)) {
return s.distinct().map(p -> sha256(p)).collect(Collectors.toList());
Expand Down Expand Up @@ -477,15 +476,26 @@ public List<RestHandler> getRestHandlers(Settings settings, RestController restC
handlers.add(new DashboardsInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool)));
handlers.add(new TenantInfoAction(settings, restController, Objects.requireNonNull(evaluator), Objects.requireNonNull(threadPool),
Objects.requireNonNull(cs), Objects.requireNonNull(adminDns), Objects.requireNonNull(cr)));
handlers.add(new TenancyConfigRestHandler());
handlers.add(new SecurityConfigUpdateAction(settings, restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
handlers.add(new SecurityWhoAmIAction(settings ,restController,Objects.requireNonNull(threadPool), adminDns, configPath, principalExtractor));
if (sslCertReloadEnabled) {
handlers.add(new SecuritySSLReloadCertsAction(settings, restController, sks, Objects.requireNonNull(threadPool), Objects.requireNonNull(adminDns)));
}
final Collection<RestHandler> apiHandlers = SecurityRestApiActions.getHandler(settings, configPath, restController, localClient, adminDns, cr, cs, principalExtractor, evaluator, threadPool, Objects.requireNonNull(auditLog));
handlers.addAll(apiHandlers);
log.debug("Added {} management rest handler(s)", apiHandlers.size());

handlers.addAll(
SecurityRestApiActions.getHandler(
settings,
configPath,
restController,
localClient,
adminDns,
cr, cs, principalExtractor,
evaluator,
threadPool,
Objects.requireNonNull(auditLog),
Objects.requireNonNull(userService))
);
log.debug("Added {} rest handler(s)", handlers.size());
}
}

Expand All @@ -508,8 +518,6 @@ public UnaryOperator<RestHandler> getRestHandlerWrapper(final ThreadContext thre
if(!disabled && !SSLConfig.isSslOnlyMode()) {
actions.add(new ActionHandler<>(ConfigUpdateAction.INSTANCE, TransportConfigUpdateAction.class));
actions.add(new ActionHandler<>(WhoAmIAction.INSTANCE, TransportWhoAmIAction.class));
actions.add(new ActionHandler<>(TenancyConfigRetrieveActions.INSTANCE, TenancyConfigRetrieveTransportAction.class));
actions.add(new ActionHandler<>(TenancyConfigUpdateAction.INSTANCE, TenancyConfigUpdateTransportAction.class));
}
return actions;
}
Expand Down Expand Up @@ -810,6 +818,8 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl

cr = ConfigurationRepository.create(settings, this.configPath, threadPool, localClient, clusterService, auditLog);

userService = new UserService(cs, cr, settings, localClient);

final XFFResolver xffResolver = new XFFResolver(threadPool);
backendRegistry = new BackendRegistry(settings, adminDns, xffResolver, auditLog, threadPool);

Expand Down Expand Up @@ -866,6 +876,7 @@ public Collection<Object> createComponents(Client localClient, ClusterService cl
components.add(evaluator);
components.add(si);
components.add(dcf);
components.add(userService);


return components;
Expand Down Expand Up @@ -1172,7 +1183,6 @@ public static class GuiceHolder implements LifecycleComponent {
private static RepositoriesService repositoriesService;
private static RemoteClusterService remoteClusterService;
private static IndicesService indicesService;

private static PitService pitService;

private static ExtensionsManager extensionsManager;
Expand Down

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

This file was deleted.

Loading

0 comments on commit fa33fc5

Please sign in to comment.