Rest admin permissions

[willyborankin]

Description

The aim of this PR is to introduce authorization mechanism for endpoints not only for the super admin
but for users with certain permissions.
Endpoints are:

• nodesdn
• allowlist
• actiongroup
• user / internalusers
• roles
• rolesmapping
• tenants

Each endpoint has its own permission:
- restapi:admin/actiongroups - full access to action groups
- restapi:admin/allowlist - full access to allow list
- restapi:admin/internalusers - full access to internal users
- restapi:admin/nodesdn - full access to nodes DN
- restapi:admin/roles - full access to roles
- restapi:admin/rolesmapping - full access to roles mapping
- restapi:admin/ssl/certs/info - full access to SSL certs info
- restapi:admin/ssl/certs/reload - full access to SSL certs reload
- restapi:admin/tenants - full access to tenants

The role with such permissions it is possible to create via static configuration,
all attempts to create roles, roles mapping or action group with such permissions are forbidden except super admin and the user with the certain permission.

Issues Resolved

#1878

Is this a backport? If so, please add backport PR # and/or commits #
So far not but I think it is possible.

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

• unit testing done

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

Just starting to review, thanks for the contribution!

[peternied]

Seems like they are admin if this block is hit, typo?

[willyborankin]

Ahh sure must be Super Admin

[peternied]

Thorough job! Thank you for also expanding out the test coverage for non-admin cert super user cases.

I've called out some code I'd like to see changed and some areas I've got questions. Thanks!

[stephen-crawford]

For my own understanding, is there a reason we need this to be protected vs. public?

[willyborankin]

Yes no reasons. Will move protected and use public

[stephen-crawford]

Is this return ternary condition backwards? Isn't this saying "if wildcardmatcher.matches(any) return "NONE" else return "m"" and don't you want it to be the other way around?

I may be misinterpreting this statement.

[willyborankin]

This way Im trying to avoid of such configuration:

all_access:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all indices and all cluster APIs"
  cluster_permissions:
    - "*"

so any user without restapi:admin/* permission does not have access to the endpoint. TBH I do not like it maybe better solution exists?

[stephen-crawford]

Gotcha, that makes sense given what you are trying to do. Perhaps you could leave a short comment mentioning this?

[willyborankin]

Sure will add.

[DarshitChanpura]

Also, could you add a test to verify this behavior, which explicitly tests *, restapi:admin/*, restapi:admin/<some-specific-action>, and <any-other-random-action>

[cwperks]

admin gets assigned to all_access by default here: https://github.com/opensearch-project/security/blob/main/config/roles_mapping.yml#L13-L17

This will mean that admin does not get the restapi:* permissions by default, right? If not, then the role would need to be updated or a new role created using the API, securityadmin or by creating a brand new security index in a new cluster.

If admin currently has the ability to use the REST APIs, then after this change the admin should still be able to modify the securityconfig via API by default. I'm not positive of the behavior, but will follow-up after testing.

@willyborankin What do you think about this? all_access that gives all API access and a new role that has permissions cluster:* and indices:*.

all_access:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all APIs"
  cluster_permissions:
    - "*"

all_cluster_and_indices:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all indices and all cluster APIs"
  cluster_permissions:
    - "cluster:*"
    - "indices:*"

[stephen-crawford]

Should these tests be moved into the new SSL test class you made?

[willyborankin]

Like with Actions tests need to be cleaned to make it more readable and better to support. I haven't touched them yet just to avoid of breaking everything.

[stephen-crawford]

That makes sense. Your contribution is greatly appreciated.

[DarshitChanpura]

Thank you @willyborankin for this detailed contribution! One generic request, could you please add javadoc for classes/methods you introduced.

[DarshitChanpura]

Following defaults of Boolean, this should return false by default and the implementers can override to return true if needed.

[DarshitChanpura]

Also, could you add a test to verify this behavior, which explicitly tests *, restapi:admin/*, restapi:admin/<some-specific-action>, and <any-other-random-action>

[DarshitChanpura]

nit: can remove this sysout?

[willyborankin]

Sure leftovers :-)

[cwperks]

@willyborankin Thank you for the PR! I took a first pass and I've got a few questions around the PR, but overall I think this is a good base to continue working from. My biggest concern here is the change to isSuperAdmin() and that it looks like the default admin permissions may change to not allow the admin to use the API until explicitly granted. Let us know if you have any questions.

[cwperks]

nit: Can the json be formatted in this comment similar to how it was in SecuritySSLCertsInfoAction?

[cwperks]

admin gets assigned to all_access by default here: https://github.com/opensearch-project/security/blob/main/config/roles_mapping.yml#L13-L17

This will mean that admin does not get the restapi:* permissions by default, right? If not, then the role would need to be updated or a new role created using the API, securityadmin or by creating a brand new security index in a new cluster.

If admin currently has the ability to use the REST APIs, then after this change the admin should still be able to modify the securityconfig via API by default. I'm not positive of the behavior, but will follow-up after testing.

@willyborankin What do you think about this? all_access that gives all API access and a new role that has permissions cluster:* and indices:*.

all_access:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all APIs"
  cluster_permissions:
    - "*"

all_cluster_and_indices:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all indices and all cluster APIs"
  cluster_permissions:
    - "cluster:*"
    - "indices:*"

[cwperks]

The implementation for this function should not change. Super admin is reserved in the security plugin to indicate that a user is using client cert authentication and the principal of the cert matches a configured admin_dn in opensearch.yml.

[willyborankin]

and it isn't change. I just move this check here: https://github.com/willyborankin/security/blob/5110fb1fb7a673177641a6803cbc16ea56b24ec4/src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java#L98. I think it is better to keep this code in one place instead of:

if (adminDNs.isAdmin(user.getName()) && ....)

otherwise tests wont pass for existing behave

[willyborankin]

@cwperks Regarding admin and current roles. True I missed it!. I think split up roles is a good idea otherwise the end user can easily shoot their foot and cluster could be compromised. An alternative solution would be just forbid to create any role, roles mappings and action group for such permissions and config them ones before cluster up and running but I'm not sure that this is a good idea. Just to be on the same page you idea is to introduce:

all_cluster_and_indices:
  reserved: true
  hidden: false
  static: true
  description: "Allow full access to all indices and all cluster APIs"
  cluster_permissions:
    - "cluster:*"
    - "indices:*"

and assign admin by default to it right?

[cwperks]

I believe the default configuration gives admin the permission to perform:

nodesdn
allowlist
actiongroup
user / internalusers
roles
rolesmapping
tenants

but not

reloadcerts

Only the superadmin (connected via client cert) can perform reloadcerts now.

After this change I would still expect the admin to perform the same actions without additional config.

Thank you for addressing all of the PR comments right away, this change looks good to me. Thank you for the contribution!

[cwperks]

This log message is the opposite of what it should be. The original block in RestApiPrivilegesEvaluator was:

if (!adminDNs.isAdminDN(sslInfo.getPrincipal())) {
	logger.warn("Security admin permissions required but {} is not an admin", sslInfo.getPrincipal());
	return "Security admin permissions required but " + sslInfo.getPrincipal() + " is not an admin";
}

if the user is connecting with admin dn then they are said to be super admin and have privileges to perform all actions in the cluster.

[willyborankin]

ok will change np.

[willyborankin]

Ahhh sorry misread the comment. The code in the master:

User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
return adminDNs.isAdmin(user);

I only added a debug message. The purpose of isSuperAdmin() stays the same. RestApiAdminPrivilegesEvaluator just adds additional check for the permission nothing more since the logged in user can has such permissions to change e.g. hidden or reserved fields. Maybe the name for the class RestApiAdminPrivilegesEvaluator needs to be changed for better understanding what it does. WDYT?

[cwperks]

If the user is assigned restapi:admin/* what is the purpose of the isSuperAdmin() check? I saw that the implementation of isSuperAdmin was also changed in this PR, but it has a specific meaning in the security plugin.

Curious, why not follow a similar pattern to cluster permissions where in ConfigModelV7 and ConfigModelV6 there is a WildcardMatcher that tests the given action to see if it matches permissions that the user is assigned.

See https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java#L544-L546

[peternied]

All my feedback has been addressed, thanks!

[cwperks]

FYI @willyborankin, I just stumbled upon a feature of the security plugin I was unfamiliar with before today. There is a config setting called plugins.security.restapi.roles_enabled. i.e. plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] - https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh#L378

This config setting gives users of that role access to the security APIs as well.

[DarshitChanpura]

Thank you for this contribution @willyborankin!

[DarshitChanpura]

this is awesome.. Thank you!

[willyborankin]

FYI @willyborankin, I just stumbled upon a feature of the security plugin I was unfamiliar with before today. There is a config setting called plugins.security.restapi.roles_enabled. i.e. plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] - https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh#L378

This config setting gives users of that role access to the security APIs as well.

FYI @willyborankin, I just stumbled upon a feature of the security plugin I was unfamiliar with before today. There is a config setting called plugins.security.restapi.roles_enabled. i.e. plugins.security.restapi.roles_enabled: ["all_access", "security_rest_api_access"] - https://github.com/opensearch-project/security/blob/main/tools/install_demo_configuration.sh#L378

This config setting gives users of that role access to the security APIs as well.

@cwperks Terribly sorry, was planning to add my comments today. I was on vacation previous week and this one was in the different city to meet my team :-). Only had time to push my changes.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2411-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d676716e83d1ab387e9e6a0c0f3284e39ed967f5
# Push it to GitHub
git push --set-upstream origin backport/backport-2411-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2411-to-2.x.

[cwperks]

@willyborankin @reta Apologies for not adding the backport label earlier. There is a code freeze for 2.6 EOD today and I have been going through PRs to ensure the backport label was added for PRs that should be backported. If this featured should be shipped in one of the 2.x releases can someone look into creating a manual backport?

[willyborankin]

Sure will do tomorrow.

[opensearch-trigger-bot]

The backport to 2.8 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.8 2.8
# Navigate to the new working tree
cd .worktrees/backport-2.8
# Create a new branch
git switch --create backport/backport-2411-to-2.8
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d676716e83d1ab387e9e6a0c0f3284e39ed967f5
# Push it to GitHub
git push --set-upstream origin backport/backport-2411-to-2.8
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.8

Then, create a pull request where the base branch is 2.8 and the compare/head branch is backport/backport-2411-to-2.8.