Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read Only Tenant Mode #4498

Merged

Conversation

jakubp-eliatra
Copy link
Contributor

Description

Adds a proper read only mode support for read only tenants.

A new capability hide_for_read_only as array is utilized to recognize the capabilities which should be disable in read only mode. If a read only tenant is recognized the capabilities associated with writing access such as 'createNew' and 'saveQuery' are then set to false.

Issues Resolved

This is a complementary PR for: opensearch-project/security-dashboards-plugin#1472, related with issues here: opensearch-project/security#2701

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@jakubp-eliatra jakubp-eliatra changed the title Read Only Tenant Mod Read Only Tenant Mode Jul 5, 2023
Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
@jakubp-eliatra jakubp-eliatra force-pushed the read-only-mode-for-tenants branch from e3252fe to b5fd84b Compare July 5, 2023 12:54
@ashwin-pc
Copy link
Member

@jakubp-eliatra Can you as a part of this change also tackle #2575? Since you are modifying the capabilities service, it would also be nice to know how it is being used, including how to use the new flag :)

@jakubp-eliatra
Copy link
Contributor Author

@ashwin-pc Yes, we will document how the capabilities are used to achieve read only mode. Outside of that, I would suggest to leave #2575 as a separate issue still, due to capabilities not being really used in plugins (outside of read only mode logic) and due to enlarging the current scope of PR.

Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
…nants

Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
@kajetan-nobel kajetan-nobel force-pushed the read-only-mode-for-tenants branch from 58459a9 to 39a08e6 Compare July 18, 2023 20:24
@ashwin-pc
Copy link
Member

@jakubp-eliatra Thats okay, the goal here is to document the change that you are making and add any additional context you have about the capabilities service too. Its a part of the PR checklist for that reason. It does not have to be a comprehensive doc on the capabilities service as a whole, that can be covered in #2575. The problem is that we may never get to it otherwise and kinda have to rely on changes like this to slowly tackle away at the documentation gaps. Imagine how it would have benefitted you if the last person who touched the capabilities service had documented it well.

…nants

Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
@kajetan-nobel
Copy link
Contributor

Hey @ashwin-pc, I've taken this task over from @jakubp-eliatra.

I've added docs (please let me know if there is any lack there), also integration tests have been prepared here:
opensearch-project/opensearch-dashboards-functional-test#792

…nants

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
@kajetan-nobel
Copy link
Contributor

@kajetan-nobel This is missing a changelog entry.

@joshuarrrr I added :)

@ashwin-pc ashwin-pc removed the needs more info Requires more information from poster label Oct 3, 2023
@ashwin-pc
Copy link
Member

@kajetan-nobel how can i validate these changes? can you add some instructions to run this change locally and make sure it works as expected?

@kajetan-nobel
Copy link
Contributor

@ashwin-pc

  1. Switch the dashboard branch to the branch of this PR
  2. Switch the security plugin branch to the branch of Show controls as read only based on tenant permissions security-dashboards-plugin#1472
  3. Sign in as Admin and follow this part of docs
  4. Create an example of data for the tenant as admin
  5. Sign in to the read-only tenant user who isn't an admin
  6. It shouldn't show any edit buttons.

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
@kajetan-nobel
Copy link
Contributor

Note: @ashwin-pc gonna pick it up right after 2.11's crunch time
If could also any other maintainers of this repository review this PR for me please? Thank you.

Comment on lines 1 to 29
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Any modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The license header is not correct I suppose.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is the right license header

/*
 * Copyright OpenSearch Contributors
 * SPDX-License-Identifier: Apache-2.0
 */

The same goes for all the license headers in this PR

Comment on lines 1 to 29
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Any modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The license header is not correct I suppose.

Copy link
Member

@ashwin-pc ashwin-pc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR looks good aside from the license headers. I see some additional fetch errors on a few pages when using a read only user but that isnt related to this PR i think. I can approve once the license headers are fixed :)

Comment on lines 1 to 29
/*
* SPDX-License-Identifier: Apache-2.0
*
* The OpenSearch Contributors require contributions made to
* this file be licensed under the Apache-2.0 license or a
* compatible open source license.
*
* Any modifications Copyright OpenSearch Contributors. See
* GitHub history for details.
*/

/*
* Licensed to Elasticsearch B.V. under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch B.V. licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is the right license header

/*
 * Copyright OpenSearch Contributors
 * SPDX-License-Identifier: Apache-2.0
 */

The same goes for all the license headers in this PR

Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
@kajetan-nobel
Copy link
Contributor

@ashwin-pc @SuZhou-Joe license headers have been changed. Ready to review.

ashwin-pc
ashwin-pc previously approved these changes Oct 25, 2023
@@ -36,6 +36,15 @@ import { searchSavedObjectType } from './saved_objects';
export class DiscoverServerPlugin implements Plugin<object, object> {
public setup(core: CoreSetup) {
core.capabilities.registerProvider(capabilitiesProvider);
core.capabilities.registerSwitcher(async (request, capabilites) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As there is no consumer under the line of await, I'd recommend removing the async / await in this function, not a big concern.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SuZhou-Joe hideForReadonly is async and it's needed to be due to implementation from security plugin site

Copy link
Member

@SuZhou-Joe SuZhou-Joe Oct 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually because there is no consumer following the await, so it's the same to make it from async / await to a simple () => core.security.readonlyService.... because both will return a promise to the function caller. but still, not a big concern.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather keep it as it is

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this improvement to dashboards - I've just finished reviewing the companion change in the security plugin - very nice design + docs 🥇!

Minor suggestion to the service interface, see inline.

import { IReadOnlyService } from './types';

export class ReadonlyService implements IReadOnlyService {
async isReadonly(request: OpenSearchDashboardsRequest): Promise<boolean> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of changing the output from being boolean to be an enum that has values like ReadOnly, ReadWrite, Unknown?

I think this would better describe results for inline reading especially in the controllers where its hard to 'see' what the impact of a true vs false will be.

Copy link
Contributor

@kajetan-nobel kajetan-nobel Oct 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied then it wouldn't be a ReadonlyService but TenantCapabilityService or something like that. As long as it has an impact only on capabilities I suggest keeping it as it is right now and extending that in the next PR :) Especially as long capabilities are only boolean and will not contain enum values.

CHANGELOG.md Outdated Show resolved Hide resolved
import { IReadOnlyService } from './types';

export class ReadonlyService implements IReadOnlyService {
async isReadonly(request: OpenSearchDashboardsRequest): Promise<boolean> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems isReadonly method currently always returns false and the hideForReadonly method will always return the capabilites argument as-is, without merging it with hideCapabilities. Seems to me that these functions are redundant or unnecessary. Is the current isReadonly method a placeholder, intended to be overridden or expanded upon in the future? should we add a comment on them?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ananzh purpose is to keep working even without security-plugin (btw. here is an extension of the implementation https://github.com/opensearch-project/security-dashboards-plugin/pull/14720). For more context please follow opensearch-project/security#2701 (comment)

Co-authored-by: Anan Zhuang <ananzh@amazon.com>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
@ananzh ananzh merged commit abc97ea into opensearch-project:main Nov 6, 2023
63 of 65 checks passed
@ananzh ananzh added the v2.12.0 label Nov 6, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 6, 2023
* merge conflict resolved
* Restore config/opensearch_dashboards.yml
* Fix capabilities tsc
* docs: read only tenant mode
* feat: introduce security service in core and readonly service
* fix: adds securityServiceMock
* feat: adds tests and default default readonly service
* docs: fill up docs for read only tenant mode

---------

Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Co-authored-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
Co-authored-by: Kajetan Nobel <k.nobel@routegroup.pl>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Co-authored-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit abc97ea)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
joshuarrrr pushed a commit that referenced this pull request Nov 17, 2023
* merge conflict resolved
* Restore config/opensearch_dashboards.yml
* Fix capabilities tsc
* docs: read only tenant mode
* feat: introduce security service in core and readonly service
* fix: adds securityServiceMock
* feat: adds tests and default default readonly service
* docs: fill up docs for read only tenant mode

---------

Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Co-authored-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
Co-authored-by: Kajetan Nobel <k.nobel@routegroup.pl>
Co-authored-by: Peter Nied <peternied@hotmail.com>
Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com>
Co-authored-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Co-authored-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit abc97ea)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants