New algorithm for resolving action groups #4448
Conversation
Signed-off-by: Nils Bandener <[email protected]>
nibix
requested review from
cliu123,
cwperks,
DarshitChanpura,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4448 +/- ##
==========================================
+ Coverage 65.45% 65.48% +0.03%
==========================================
Files 312 313 +1
Lines 22042 22064 +22
Branches 3559 3562 +3
==========================================
+ Hits 14427 14449 +22
+ Misses 5843 5840 -3
- Partials 1772 1775 +3
|
src/test/java/org/opensearch/security/securityconf/FlattenedActionGroupsTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Nils Bandener <[email protected]>
There was a problem hiding this comment.
Thank you @nibix! This change looks good to me. One scenario I'd like to see covered would be a change in action group and verify its reflected in the new FlattenedActionGroups data structure.
Would it make sense to included the flattened actions in the API response for GET _plugins/_security/api/actiongroups/<action-group>?
https://opensearch.org/docs/latest/security/access-control/api/#get-action-group
There was a problem hiding this comment.
@nibix the changes look good to me. Would the new runtime be more linear compared to the older implementation because we are using a combination of BFS + DFS?
This is certainly an important thing to test. However, such configuration updates are handled by the There used to be an integration test which would test what you are asking for - that is, it changed action groups via API and tested the effectiveness of these changes via normal user operations. That was at https://github.com/opensearch-project/security/blob/069249656970e839302a0d3b8b87c82fbf3e56cc/src/test/java/org/opensearch/security/dlic/rest/api/ActionGroupsApiTest.java . There was recently a refactor of this test in #4371. I quickly skimmed the replacement code and could not find any logic which tests the effectiveness of the modified configuration, but maybe I missed something? |
The major gain comes from the fact that we calculate the resolved action group space only once instead of re-calculating it again and again for each action privilege configuration. Additionally, by using an iterative algorithm instead of a recursive algorithm it is easier for us to detect that resolution has finished and abort early. That give some more gain. However, all these gains only pertain to the config reload phase and not to the actual privilege evaluation. |
|
Merging this since we have approvals. Any discussions can be addressed in follow-up PRs. |
Signed-off-by: Nils Bandener <[email protected]> (cherry picked from commit 20291a9) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
This code change is just in preparation for the change in #4380 as requested in #4416 (review) .
This replaces the previous action group resolution algorithm done in ConfigModelV7 by a new one, which has a number of enhancements:
Testing
org.opensearch.security.securityconf.FlattenedActionGroupsTestCheck List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.