Adding index permissions for remote index in AD #4719
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
amitgalitz
requested review from
cwperks,
DarshitChanpura,
nibix,
peternied,
RyanL1997,
stephen-crawford,
reta and
willyborankin
as code owners
amitgalitz
force-pushed
the
remote-ad-role
branch
from
1c8fe3e
to
219a583
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #4719 +/- ##
==========================================
+ Coverage 65.51% 65.53% +0.02%
==========================================
Files 319 319
Lines 22448 22448
Branches 3602 3602
==========================================
+ Hits 14707 14712 +5
+ Misses 5933 5927 -6
- Partials 1808 1809 +1 |
Signed-off-by: Amit Galitzky <[email protected]>
amitgalitz
force-pushed
the
remote-ad-role
branch
from
219a583
to
bd01a47
Compare
DarshitChanpura
approved these changes
Sep 9, 2024
kaituo
approved these changes
Sep 9, 2024
cwperks
approved these changes
Sep 9, 2024
cwperks
added
backport 2.x
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4719-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 2dbc508676a33bb2b81cf58a82abb603b2aacc6e
# Push it to GitHub
git push --set-upstream origin backport/backport-4719-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.xThen, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.17 2.17
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.17
# Create a new branch
git switch --create backport/backport-4719-to-2.17
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 2dbc508676a33bb2b81cf58a82abb603b2aacc6e
# Push it to GitHub
git push --set-upstream origin backport/backport-4719-to-2.17
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.17Then, create a pull request where the |
amitgalitz
added a commit
to amitgalitz/security
that referenced
this pull request
Sep 9, 2024
) Signed-off-by: Amit Galitzky <[email protected]>
amitgalitz
added a commit
to amitgalitz/security
that referenced
this pull request
Sep 9, 2024
) Signed-off-by: Amit Galitzky <[email protected]>
This was referenced Sep 9, 2024
kaituo
added a commit
to kaituo/anomaly-detection-1
that referenced
this pull request
Sep 11, 2024
This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass Signed-off-by: Kaituo Li <[email protected]>
5 tasks
kaituo
added a commit
to opensearch-project/anomaly-detection
that referenced
this pull request
Sep 11, 2024
This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass Signed-off-by: Kaituo Li <[email protected]>
opensearch-trigger-bot bot
pushed a commit
to opensearch-project/anomaly-detection
that referenced
this pull request
Sep 11, 2024
This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass Signed-off-by: Kaituo Li <[email protected]> (cherry picked from commit 0aebc6d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
to opensearch-project/anomaly-detection
that referenced
this pull request
Sep 11, 2024
This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass Signed-off-by: Kaituo Li <[email protected]> (cherry picked from commit 0aebc6d) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
kaituo
pushed a commit
to opensearch-project/anomaly-detection
that referenced
this pull request
Sep 11, 2024
…1309) This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass (cherry picked from commit 0aebc6d) Signed-off-by: Kaituo Li <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
kaituo
pushed a commit
to opensearch-project/anomaly-detection
that referenced
this pull request
Sep 11, 2024
…1310) This PR addresses errors in security tests caused by recent changes in opensearch-project/security#4719. Previously, users needed both AD full access and source index permissions to fully utilize anomaly detection (AD). AD full access has already included all alias and mapping permissions. it was inconsistent not to include index search permission, which would otherwise force users to create an additional role. The change in the referenced PR aimed to simplify user management. Due to this change, existing security tests that relied on a user having AD full access but lacking data search permission would no longer trigger the expected search permission exception. This PR addresses that issue by creating a new user role with only AD read permission (note we didn't change ad read access permission in the referenced PR) and without source index search permission, ensuring the tests correctly validate the lack of search permissions. Testing Done: * Verified that previously failing security tests now pass (cherry picked from commit 0aebc6d) Signed-off-by: Kaituo Li <[email protected]> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
tmanninger
pushed a commit
to tmanninger/opensearch-security
that referenced
this pull request
Sep 24, 2024
) Signed-off-by: Amit Galitzky <[email protected]> Signed-off-by: tmanninger <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adding a few more index permissions for AD full access role. This is due to the fact we now make some additional calls during detector creation to get all necessary information from the remote clusters.
Issues Resolved
opensearch-project/anomaly-detection-dashboards-plugin#854
Is this a backport? If so, please add backport PR # and/or commits #, and remove
backport-failedlabel from the original PR.Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.