From 5464bfc6cea1ce257a8b88e4c79cb9a74b007d37 Mon Sep 17 00:00:00 2001 From: Vamsi Manohar Date: Mon, 22 Apr 2024 13:15:56 -0700 Subject: [PATCH] Throw OpensearchSecurityException incase of datasource authorization error (#2626) Signed-off-by: Vamsi Manohar --- .../auth/DataSourceUserAuthorizationHelperImpl.java | 7 +++++-- .../DataSourceUserAuthorizationHelperImplTest.java | 12 ++++++++---- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/datasources/src/main/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImpl.java b/datasources/src/main/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImpl.java index 67d747f0bf..c8f6754710 100644 --- a/datasources/src/main/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImpl.java +++ b/datasources/src/main/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImpl.java @@ -9,9 +9,11 @@ import java.util.List; import lombok.AllArgsConstructor; +import org.opensearch.OpenSearchSecurityException; import org.opensearch.client.Client; import org.opensearch.commons.ConfigConstants; import org.opensearch.commons.authuser.User; +import org.opensearch.core.rest.RestStatus; import org.opensearch.sql.datasource.model.DataSourceMetadata; @AllArgsConstructor @@ -49,11 +51,12 @@ public void authorizeDataSource(DataSourceMetadata dataSourceMetadata) { } } if (!isAuthorized) { - throw new SecurityException( + throw new OpenSearchSecurityException( String.format( "User is not authorized to access datasource %s. " + "User should be mapped to any of the roles in %s for access.", - dataSourceMetadata.getName(), dataSourceMetadata.getAllowedRoles().toString())); + dataSourceMetadata.getName(), dataSourceMetadata.getAllowedRoles().toString()), + RestStatus.UNAUTHORIZED); } } } diff --git a/datasources/src/test/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImplTest.java b/datasources/src/test/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImplTest.java index 6471fd03f7..761115b7af 100644 --- a/datasources/src/test/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImplTest.java +++ b/datasources/src/test/java/org/opensearch/sql/datasources/auth/DataSourceUserAuthorizationHelperImplTest.java @@ -9,6 +9,7 @@ import java.util.List; import org.junit.Assert; +import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Answers; @@ -16,7 +17,9 @@ import org.mockito.Mock; import org.mockito.Mockito; import org.mockito.junit.jupiter.MockitoExtension; +import org.opensearch.OpenSearchSecurityException; import org.opensearch.client.Client; +import org.opensearch.core.rest.RestStatus; import org.opensearch.sql.datasource.model.DataSourceMetadata; import org.opensearch.sql.datasource.model.DataSourceType; @@ -90,14 +93,15 @@ public void testAuthorizeDataSourceWithException() { .getTransient(OPENSEARCH_SECURITY_USER_INFO_THREAD_CONTEXT)) .thenReturn(userString); DataSourceMetadata dataSourceMetadata = dataSourceMetadata(); - SecurityException securityException = + OpenSearchSecurityException openSearchSecurityException = Assert.assertThrows( - SecurityException.class, + OpenSearchSecurityException.class, () -> this.dataSourceUserAuthorizationHelper.authorizeDataSource(dataSourceMetadata)); - Assert.assertEquals( + Assertions.assertEquals( "User is not authorized to access datasource test. " + "User should be mapped to any of the roles in [prometheus_access] for access.", - securityException.getMessage()); + openSearchSecurityException.getMessage()); + Assertions.assertEquals(RestStatus.UNAUTHORIZED, openSearchSecurityException.status()); } private DataSourceMetadata dataSourceMetadata() {