-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dashboard admin(groups/users) implementation and integrating with dynamic application config #303
dashboard admin(groups/users) implementation and integrating with dynamic application config #303
Conversation
… test This reverts commit 47e10e4.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## workspace-pr-integr #303 +/- ##
========================================================
+ Coverage 35.17% 55.93% +20.76%
========================================================
Files 1885 2254 +369
Lines 36421 42172 +5751
Branches 6672 7487 +815
========================================================
+ Hits 12810 23590 +10780
+ Misses 22761 17225 -5536
- Partials 850 1357 +507
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
...kspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
...kspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
const adminGroups = config?.dashboardAdmin?.groups || []; | ||
const adminUsers = config?.dashboardAdmin?.users || []; | ||
const groupMatchAny = groups?.some((group) => adminGroups.includes(group)) || false; | ||
const userMatchAny = users?.some((user) => adminUsers.includes(user)) || false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we remove ? after users and groups?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will delete invalid ?
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.test.ts
Outdated
Show resolved
Hide resolved
config/opensearch_dashboards.yml
Outdated
# Set the backend roles in groups or users, whoever has the backend roles or exactly match the user ids defined in this config will be regard as dashboard admin. | ||
# Dashboard admin will have the access to all the workspaces and objects inside OpenSearch Dashboards. | ||
# workspace.dashboardAdmin.groups: ["dashboard_admin"] | ||
# workspace.dashboardAdmin.users: ["dashboard_admin"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The naming workspace.dashboardAdmin
may confuse me, it sounds like the admin for dashboard type only. I come few names like workspace.dashboardsAdmin
,
workspace.admin
or workpsace.superAdmin
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
workspace.admin may be confusing as admin of workspace
stands for the the users who have write permission on specific workspaces, vote for superAdmin.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is no configuration named workspace.admin
, would workspace.superAdmin
also be confused?
@@ -140,6 +144,24 @@ export class WorkspaceSavedObjectsClientWrapper { | |||
return false; | |||
}; | |||
|
|||
private isDashboardAdmin(request: OpenSearchDashboardsRequest): boolean { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer renaming to isRequestByDashboardAdmin
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
…shboards into pr-integr-dashboard-admin
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
Signed-off-by: yubonluo <[email protected]>
@@ -83,8 +88,35 @@ export class WorkspacePlugin implements Plugin<{}, {}> { | |||
if (isPermissionControlEnabled) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we move the permission control logic to a separate method like setupPermission
? It seems over 30 lines.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I have moved the related logic to a separate setupPermission
method.
src/plugins/workspace/server/saved_objects/workspace_saved_objects_client_wrapper.ts
Outdated
Show resolved
Hide resolved
@@ -66,8 +70,32 @@ const getDefaultValuesForEmpty = <T>(values: T[] | undefined, defaultValues: T[] | |||
return !values || values.length === 0 ? defaultValues : values; | |||
}; | |||
|
|||
export const isRequestByDashboardAdmin = ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer move to some utils file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have moved to src/plugins/workspace/server/utils.ts
and add unit test.
@@ -51,6 +51,8 @@ const repositoryKit = (() => { | |||
|
|||
const permittedRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
const notPermittedRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
const groupIsDashboardAdminRequest = httpServerMock.createOpenSearchDashboardsRequest(); | |||
const UserIdIsDashboardAdminRequest = httpServerMock.createOpenSearchDashboardsRequest(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer renaming to userIdIsDashboardAdminRequest
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no relevant logic of users/groups in the wrapper, so I uniformly use the dashboardAdminRequest
name in the test file.
@@ -59,6 +61,8 @@ describe('WorkspaceSavedObjectsClientWrapper', () => { | |||
let osd: TestOpenSearchDashboardsUtils; | |||
let permittedSavedObjectedClient: SavedObjectsClientContract; | |||
let notPermittedSavedObjectedClient: SavedObjectsClientContract; | |||
let groupIsDashboardAdminSavedObjectedClient: SavedObjectsClientContract; | |||
let UserIdIsdashboardAdminSavedObjectedClient: SavedObjectsClientContract; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Prefer userIdIsdashboardAdminSavedObjectedClient
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no relevant logic of users/groups in the wrapper, so I uniformly use the dashboardAdminSavedObjectedClient
name in the test file.
request, | ||
adminGroups ? [adminGroups] : [], | ||
adminUsers ? [adminUsers] : [], | ||
this.permissionControl! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use assert here, permissionControl
is inited above and its type is fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, the relevant logic has been deleted.
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
groups: string[], | ||
users: string[], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I'd recommend combine these two params into a param named principals: Principals.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think using deconstructed code is more conducive to subsequent use.
@@ -55,12 +60,98 @@ export class WorkspacePlugin implements Plugin<{}, {}> { | |||
}); | |||
} | |||
|
|||
private isRequestByDashboardAdmin( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be a util function inside another file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have moved to src/plugins/workspace/server/utils.ts and add unit test.
|
||
private async setupPermission( | ||
core: CoreSetup, | ||
config: WorkspacePluginConfigType, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we leverage the existing property config$
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
} catch (e) { | ||
return toolkit.next(); | ||
} | ||
if (groups.length === 0 && users.length === 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the cluster does not require authentication, anyone can be dashboardAdmin I think.
@ruanyl @wanglam @raintygao what do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, a bit like OSD without security plugin installed that will have almost admin permissions. Also want to hear other's thoughts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean to update isDashboardAdmin state to true if groups.length === 0 && users.length === 0
when both the security plugin and savedObject.permission.enabled are open.
updateWorkspaceState(request, { | ||
isDashboardAdmin: groupMatchAny || userMatchAny, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the function name, I do not think it appropriate to update
anything inside this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I will change the function name to updateDashboardAdminStateForRequest
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
@ruanyl If you have any concerns, Please help me view this PR. |
this.workspaceSavedObjectsClientWrapper.wrapperFactory | ||
); | ||
} | ||
if (isPermissionControlEnabled) await this.setupPermission(core, { applicationConfig }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems the await is not needed here.
@@ -64,12 +70,80 @@ export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePl | |||
}); | |||
} | |||
|
|||
private async setupPermission( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to declare as a async function here I think
updateWorkspaceState(request, { | ||
isDashboardAdmin: false, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why don't we use updateDashboardAdminStateForRequest
method here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If users/groups is null, we can prevent the program from running down in advance. Meanwhile, configGroups/configUsers has not been obtained.
configGroups ? [configGroups] : [], | ||
configUsers ? [configUsers] : [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configGroups ? [configGroups] : [], | |
configUsers ? [configUsers] : [] | |
configGroups ? configGroups : [], | |
configUsers ? configUsers : [] |
configGroups and configUsers should already be array I think?
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
Signed-off-by: yubonluo <[email protected]>
…shboards into pr-integr-dashboard-admin
Signed-off-by: yubonluo <[email protected]>
import { getWorkspaceState } from '../../../core/server/utils'; | ||
import { AppPluginSetupDependencies } from './types'; | ||
import { Observable, of } from 'rxjs'; | ||
import { error } from 'console'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's this used for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will use throw new Error('')
to replace it.
Signed-off-by: yubonluo <[email protected]>
This reverts commit 47e10e4.
Description
dashboard admin(groups/users) implementation and integrating with dynamic application config
Issues Resolved
Screenshot
Testing the changes
This function can only be used when the workspace and security plugin are open.
If you want to turn on dynamic application configuration, you must change
opensearch_dashboards.yml
:Below is the CURL command to view all configurations.
Below is the CURL command to view the configuration of an entity.
Below is the CURL command to update the configuration of an entity.
Below is the CURL command to delete the configuration of an entity.
Check List
yarn test:jest
yarn test:jest_integration