dashboard admin(groups/users) implementation and integrating with dynamic application config

config/opensearch_dashboards.yml

@@ -290,3 +290,8 @@
 
 # Set the value to true to enable workspace feature
 # workspace.enabled: false
+
+# Set the backend roles in groups or users, whoever has the backend roles or exactly match the user ids defined in this config will be regard as dashboard admin.
+# Dashboard admin will have the access to all the workspaces and objects inside OpenSearch Dashboards.
+# workspace.dashboardAdmin.groups: ["dashboard_admin"]
+# workspace.dashboardAdmin.users: ["dashboard_admin"]

src/legacy/server/osd_server.d.ts

@@ -64,6 +64,7 @@ declare module '@hapi/hapi' {
   interface PluginsStates {
     workspace?: {
       id?: string;
+      isDashboardAdmin?: boolean;
     };
   }
 }

src/plugins/workspace/config.ts

@@ -10,6 +10,14 @@ export const configSchema = schema.object({
   permission: schema.object({
     enabled: schema.boolean({ defaultValue: true }),
   }),
+  dashboardAdmin: schema.object({
+    groups: schema.arrayOf(schema.string(), {
+      defaultValue: [],
+    }),
+    users: schema.arrayOf(schema.string(), {
+      defaultValue: [],
+    }),
+  }),
 });
 
 export type WorkspacePluginConfigType = TypeOf<typeof configSchema>;

src/plugins/workspace/opensearch_dashboards.json

@@ -6,6 +6,6 @@
   "requiredPlugins": [
     "savedObjects"
   ],
-  "optionalPlugins": ["savedObjectsManagement"],
+  "optionalPlugins": ["savedObjectsManagement", "applicationConfig"],
   "requiredBundles": ["opensearchDashboardsReact"]
 }

src/plugins/workspace/server/plugin.test.ts

@@ -5,6 +5,7 @@
 
 import { coreMock } from '../../../core/server/mocks';
 import { WorkspacePlugin } from './plugin';
+import { AppPluginSetupDependencies } from './types';
 
 describe('Workspace server plugin', () => {
   it('#setup', async () => {
@@ -16,9 +17,16 @@ describe('Workspace server plugin', () => {
         enabled: true,
       },
     });
+    const mockApplicationConfig = {
+      getConfigurationClient: jest.fn().mockResolvedValue({}),
+      registerConfigurationClient: jest.fn().mockResolvedValue({}),
+    };
+    const mockDependencies: AppPluginSetupDependencies = {
+      applicationConfig: mockApplicationConfig,
+    };
     setupMock.capabilities.registerProvider.mockImplementationOnce((fn) => (value = fn()));
     const workspacePlugin = new WorkspacePlugin(initializerContextConfigMock);
-    await workspacePlugin.setup(setupMock);
+    await workspacePlugin.setup(setupMock, mockDependencies);
     expect(value).toMatchInlineSnapshot(`
       Object {
         "workspaces": Object {

src/plugins/workspace/server/plugin.ts

@@ -11,16 +11,21 @@ import {
   Plugin,
   Logger,
   CoreStart,
+  OpenSearchDashboardsRequest,
 } from '../../../core/server';
 import {
   WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID,
   WORKSPACE_CONFLICT_CONTROL_SAVED_OBJECTS_CLIENT_WRAPPER_ID,
 } from '../common/constants';
-import { IWorkspaceClientImpl } from './types';
+import { AppPluginSetupDependencies, IWorkspaceClientImpl } from './types';
 import { WorkspaceClient } from './workspace_client';
 import { registerRoutes } from './routes';
 import { WorkspaceSavedObjectsClientWrapper } from './saved_objects';
-import { cleanWorkspaceId, getWorkspaceIdFromUrl } from '../../../core/server/utils';
+import {
+  cleanWorkspaceId,
+  getWorkspaceIdFromUrl,
+  updateWorkspaceState,
+} from '../../../core/server/utils';
 import { WorkspaceConflictSavedObjectsClientWrapper } from './saved_objects/saved_objects_wrapper_for_check_workspace_conflict';
 import {
   SavedObjectsPermissionControl,
@@ -55,12 +60,98 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     });
   }
 
+  private isRequestByDashboardAdmin(
+    request: OpenSearchDashboardsRequest,
+    groups: string[],
+    users: string[],
+    configGroups: string[],
+    configUsers: string[]
+  ) {
+    if (configGroups.length === 0 && configUsers.length === 0) {
+      updateWorkspaceState(request, {
+        isDashboardAdmin: false,
+      });
+      return;
+    }
+    const groupMatchAny = groups.some((group) => configGroups.includes(group)) || false;
+    const userMatchAny = users.some((user) => configUsers.includes(user)) || false;
+    updateWorkspaceState(request, {
+      isDashboardAdmin: groupMatchAny || userMatchAny,
+    });
+  }
+
+  private async setupPermission(
+    core: CoreSetup,
+    config: WorkspacePluginConfigType,
+    { applicationConfig }: AppPluginSetupDependencies
+  ) {
+    this.permissionControl = new SavedObjectsPermissionControl(this.logger);
+
+    core.http.registerOnPostAuth(async (request, response, toolkit) => {
+      let groups: string[];
+      let users: string[];
+
+      // There may be calls to saved objects client before user get authenticated, need to add a try catch here as `getPrincipalsFromRequest` will throw error when user is not authenticated.
+      try {
+        ({ groups = [], users = [] } = this.permissionControl!.getPrincipalsFromRequest(request));
+      } catch (e) {
+        return toolkit.next();
+      }
+      if (groups.length === 0 && users.length === 0) {
+        updateWorkspaceState(request, {
+          isDashboardAdmin: false,
+        });
+        return toolkit.next();
+      }
+
+      this.logger.info('Dynamic application configuration enabled:' + !!applicationConfig);
+      if (!!applicationConfig) {
+        const [coreStart] = await core.getStartServices();
+        const scopeClient = coreStart.opensearch.client.asScoped(request);
+        const applicationConfigClient = applicationConfig.getConfigurationClient(scopeClient);
+
+        const [configGroups, configUsers] = await Promise.all([
+          applicationConfigClient
+            .getEntityConfig('workspace.dashboardAdmin.groups')
+            .catch(() => undefined),
+          applicationConfigClient
+            .getEntityConfig('workspace.dashboardAdmin.users')
+            .catch(() => undefined),
+        ]);
+
+        this.isRequestByDashboardAdmin(
+          request,
+          groups,
+          users,
+          configGroups ? [configGroups] : [],
+          configUsers ? [configUsers] : []
+        );
+        return toolkit.next();
+      }
+
+      const configGroups = config.dashboardAdmin.groups || [];
+      const configUsers = config.dashboardAdmin.users || [];
+      this.isRequestByDashboardAdmin(request, groups, users, configGroups, configUsers);
+      return toolkit.next();
+    });
+
+    this.workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper(
+      this.permissionControl
+    );
+
+    core.savedObjects.addClientWrapper(
+      0,
+      WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID,
+      this.workspaceSavedObjectsClientWrapper.wrapperFactory
+    );
+  }
+
   constructor(initializerContext: PluginInitializerContext) {
     this.logger = initializerContext.logger.get('plugins', 'workspace');
     this.config$ = initializerContext.config.create<WorkspacePluginConfigType>();
   }
 
-  public async setup(core: CoreSetup) {
+  public async setup(core: CoreSetup, { applicationConfig }: AppPluginSetupDependencies) {
     this.logger.debug('Setting up Workspaces service');
     const config: WorkspacePluginConfigType = await this.config$.pipe(first()).toPromise();
     const isPermissionControlEnabled =
@@ -80,19 +171,7 @@ export class WorkspacePlugin implements Plugin<{}, {}> {
     );
 
     this.logger.info('Workspace permission control enabled:' + isPermissionControlEnabled);
-    if (isPermissionControlEnabled) {
-      this.permissionControl = new SavedObjectsPermissionControl(this.logger);
-
-      this.workspaceSavedObjectsClientWrapper = new WorkspaceSavedObjectsClientWrapper(
-        this.permissionControl
-      );
-
-      core.savedObjects.addClientWrapper(
-        0,
-        WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID,
-        this.workspaceSavedObjectsClientWrapper.wrapperFactory
-      );
-    }
+    if (isPermissionControlEnabled) this.setupPermission(core, config, { applicationConfig });
 
     registerRoutes({
       http: core.http,