-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dashboard admin(groups/users) implementation and integrating with dynamic application config #303
Changes from 21 commits
72fc938
29236e3
22323c1
f9666a0
123c87e
166451a
363aeaa
c8bb0b5
74d9a26
a07dde0
518cd75
dc77999
71c20d9
c61dac9
0bf41b3
f0c1b5d
2018bdf
979851a
3a70922
a69cc58
7d83f48
f50093f
e9fd21a
909af1c
b342950
27d95fe
acfb166
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -18,7 +18,12 @@ import { | |||||||||
WORKSPACE_CONFLICT_CONTROL_SAVED_OBJECTS_CLIENT_WRAPPER_ID, | ||||||||||
WORKSPACE_ID_CONSUMER_WRAPPER_ID, | ||||||||||
} from '../common/constants'; | ||||||||||
import { IWorkspaceClientImpl, WorkspacePluginSetup, WorkspacePluginStart } from './types'; | ||||||||||
import { | ||||||||||
IWorkspaceClientImpl, | ||||||||||
WorkspacePluginSetup, | ||||||||||
WorkspacePluginStart, | ||||||||||
AppPluginSetupDependencies, | ||||||||||
} from './types'; | ||||||||||
import { WorkspaceClient } from './workspace_client'; | ||||||||||
import { registerRoutes } from './routes'; | ||||||||||
import { WorkspaceSavedObjectsClientWrapper } from './saved_objects'; | ||||||||||
|
@@ -32,6 +37,7 @@ import { | |||||||||
SavedObjectsPermissionControl, | ||||||||||
SavedObjectsPermissionControlContract, | ||||||||||
} from './permission_control/client'; | ||||||||||
import { updateDashboardAdminStateForRequest } from './utils'; | ||||||||||
import { WorkspaceIdConsumerWrapper } from './saved_objects/workspace_id_consumer_wrapper'; | ||||||||||
|
||||||||||
export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePluginStart> { | ||||||||||
|
@@ -64,12 +70,80 @@ export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePl | |||||||||
}); | ||||||||||
} | ||||||||||
|
||||||||||
private async setupPermission( | ||||||||||
core: CoreSetup, | ||||||||||
{ applicationConfig }: AppPluginSetupDependencies | ||||||||||
) { | ||||||||||
this.permissionControl = new SavedObjectsPermissionControl(this.logger); | ||||||||||
|
||||||||||
core.http.registerOnPostAuth(async (request, response, toolkit) => { | ||||||||||
let groups: string[]; | ||||||||||
let users: string[]; | ||||||||||
|
||||||||||
// There may be calls to saved objects client before user get authenticated, need to add a try catch here as `getPrincipalsFromRequest` will throw error when user is not authenticated. | ||||||||||
try { | ||||||||||
({ groups = [], users = [] } = this.permissionControl!.getPrincipalsFromRequest(request)); | ||||||||||
} catch (e) { | ||||||||||
return toolkit.next(); | ||||||||||
} | ||||||||||
if (groups.length === 0 && users.length === 0) { | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If the cluster does not require authentication, anyone can be dashboardAdmin I think. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Makes sense, a bit like OSD without security plugin installed that will have almost admin permissions. Also want to hear other's thoughts. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You mean to update isDashboardAdmin state to true if |
||||||||||
updateWorkspaceState(request, { | ||||||||||
isDashboardAdmin: false, | ||||||||||
}); | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why don't we use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If users/groups is null, we can prevent the program from running down in advance. Meanwhile, configGroups/configUsers has not been obtained. |
||||||||||
return toolkit.next(); | ||||||||||
} | ||||||||||
|
||||||||||
this.logger.info('Dynamic application configuration enabled:' + !!applicationConfig); | ||||||||||
if (!!applicationConfig) { | ||||||||||
const [coreStart] = await core.getStartServices(); | ||||||||||
const scopeClient = coreStart.opensearch.client.asScoped(request); | ||||||||||
const applicationConfigClient = applicationConfig.getConfigurationClient(scopeClient); | ||||||||||
|
||||||||||
const [configGroups, configUsers] = await Promise.all([ | ||||||||||
applicationConfigClient | ||||||||||
.getEntityConfig('opensearchDashboards.dashboardAdmin.groups') | ||||||||||
.catch(() => undefined), | ||||||||||
applicationConfigClient | ||||||||||
.getEntityConfig('opensearchDashboards.dashboardAdmin.users') | ||||||||||
.catch(() => undefined), | ||||||||||
]); | ||||||||||
|
||||||||||
updateDashboardAdminStateForRequest( | ||||||||||
request, | ||||||||||
groups, | ||||||||||
users, | ||||||||||
configGroups ? [configGroups] : [], | ||||||||||
configUsers ? [configUsers] : [] | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
configGroups and configUsers should already be array I think? |
||||||||||
); | ||||||||||
return toolkit.next(); | ||||||||||
} | ||||||||||
|
||||||||||
const globalConfig: SharedGlobalConfig = await this.globalConfig$.pipe(first()).toPromise(); | ||||||||||
const configGroups = (globalConfig.opensearchDashboards.dashboardAdmin.groups || | ||||||||||
[]) as string[]; | ||||||||||
const configUsers = (globalConfig.opensearchDashboards.dashboardAdmin.users || | ||||||||||
[]) as string[]; | ||||||||||
updateDashboardAdminStateForRequest(request, groups, users, configGroups, configUsers); | ||||||||||
return toolkit.next(); | ||||||||||
}); | ||||||||||
|
||||||||||
this.workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper( | ||||||||||
this.permissionControl | ||||||||||
); | ||||||||||
|
||||||||||
core.savedObjects.addClientWrapper( | ||||||||||
0, | ||||||||||
WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID, | ||||||||||
this.workspaceSavedObjectsClientWrapper.wrapperFactory | ||||||||||
); | ||||||||||
} | ||||||||||
|
||||||||||
constructor(initializerContext: PluginInitializerContext) { | ||||||||||
this.logger = initializerContext.logger.get('plugins', 'workspace'); | ||||||||||
this.globalConfig$ = initializerContext.config.legacy.globalConfig$; | ||||||||||
} | ||||||||||
|
||||||||||
public async setup(core: CoreSetup) { | ||||||||||
public async setup(core: CoreSetup, { applicationConfig }: AppPluginSetupDependencies) { | ||||||||||
this.logger.debug('Setting up Workspaces service'); | ||||||||||
const globalConfig = await this.globalConfig$.pipe(first()).toPromise(); | ||||||||||
const isPermissionControlEnabled = globalConfig.savedObjects.permission.enabled === true; | ||||||||||
|
@@ -94,19 +168,7 @@ export class WorkspacePlugin implements Plugin<WorkspacePluginSetup, WorkspacePl | |||||||||
); | ||||||||||
|
||||||||||
this.logger.info('Workspace permission control enabled:' + isPermissionControlEnabled); | ||||||||||
if (isPermissionControlEnabled) { | ||||||||||
this.permissionControl = new SavedObjectsPermissionControl(this.logger); | ||||||||||
|
||||||||||
this.workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper( | ||||||||||
this.permissionControl | ||||||||||
); | ||||||||||
|
||||||||||
core.savedObjects.addClientWrapper( | ||||||||||
0, | ||||||||||
WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID, | ||||||||||
this.workspaceSavedObjectsClientWrapper.wrapperFactory | ||||||||||
); | ||||||||||
} | ||||||||||
if (isPermissionControlEnabled) await this.setupPermission(core, { applicationConfig }); | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Seems the await is not needed here. |
||||||||||
|
||||||||||
registerRoutes({ | ||||||||||
http: core.http, | ||||||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to declare as a async function here I think