-
Notifications
You must be signed in to change notification settings - Fork 920
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read Only Tenant Mode #4498
Read Only Tenant Mode #4498
Conversation
Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net>
e3252fe
to
b5fd84b
Compare
@jakubp-eliatra Can you as a part of this change also tackle #2575? Since you are modifying the capabilities service, it would also be nice to know how it is being used, including how to use the new flag :) |
@ashwin-pc Yes, we will document how the capabilities are used to achieve read only mode. Outside of that, I would suggest to leave #2575 as a separate issue still, due to capabilities not being really used in plugins (outside of read only mode logic) and due to enlarging the current scope of PR. |
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
…nants Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
58459a9
to
39a08e6
Compare
@jakubp-eliatra Thats okay, the goal here is to document the change that you are making and add any additional context you have about the capabilities service too. Its a part of the PR checklist for that reason. It does not have to be a comprehensive doc on the capabilities service as a whole, that can be covered in #2575. The problem is that we may never get to it otherwise and kinda have to rely on changes like this to slowly tackle away at the documentation gaps. Imagine how it would have benefitted you if the last person who touched the capabilities service had documented it well. |
…nants Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
Hey @ashwin-pc, I've taken this task over from @jakubp-eliatra. I've added docs (please let me know if there is any lack there), also integration tests have been prepared here: |
…nants Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
@joshuarrrr I added :) |
@kajetan-nobel how can i validate these changes? can you add some instructions to run this change locally and make sure it works as expected? |
|
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Note: @ashwin-pc gonna pick it up right after 2.11's crunch time |
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Any modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The license header is not correct I suppose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this is the right license header
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
The same goes for all the license headers in this PR
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Any modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The license header is not correct I suppose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR looks good aside from the license headers. I see some additional fetch errors on a few pages when using a read only user but that isnt related to this PR i think. I can approve once the license headers are fixed :)
/* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* | ||
* The OpenSearch Contributors require contributions made to | ||
* this file be licensed under the Apache-2.0 license or a | ||
* compatible open source license. | ||
* | ||
* Any modifications Copyright OpenSearch Contributors. See | ||
* GitHub history for details. | ||
*/ | ||
|
||
/* | ||
* Licensed to Elasticsearch B.V. under one or more contributor | ||
* license agreements. See the NOTICE file distributed with | ||
* this work for additional information regarding copyright | ||
* ownership. Elasticsearch B.V. licenses this file to you under | ||
* the Apache License, Version 2.0 (the "License"); you may | ||
* not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this is the right license header
/*
* Copyright OpenSearch Contributors
* SPDX-License-Identifier: Apache-2.0
*/
The same goes for all the license headers in this PR
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com>
@ashwin-pc @SuZhou-Joe license headers have been changed. Ready to review. |
@@ -36,6 +36,15 @@ import { searchSavedObjectType } from './saved_objects'; | |||
export class DiscoverServerPlugin implements Plugin<object, object> { | |||
public setup(core: CoreSetup) { | |||
core.capabilities.registerProvider(capabilitiesProvider); | |||
core.capabilities.registerSwitcher(async (request, capabilites) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As there is no consumer under the line of await, I'd recommend removing the async / await in this function, not a big concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@SuZhou-Joe hideForReadonly
is async and it's needed to be due to implementation from security plugin site
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually because there is no consumer following the await, so it's the same to make it from async / await
to a simple () => core.security.readonlyService....
because both will return a promise to the function caller. but still, not a big concern.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather keep it as it is
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this improvement to dashboards - I've just finished reviewing the companion change in the security plugin - very nice design + docs 🥇!
Minor suggestion to the service interface, see inline.
import { IReadOnlyService } from './types'; | ||
|
||
export class ReadonlyService implements IReadOnlyService { | ||
async isReadonly(request: OpenSearchDashboardsRequest): Promise<boolean> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think of changing the output from being boolean to be an enum that has values like ReadOnly, ReadWrite, Unknown
?
I think this would better describe results for inline reading especially in the controllers where its hard to 'see' what the impact of a true vs false will be.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@peternied then it wouldn't be a ReadonlyService
but TenantCapabilityService
or something like that. As long as it has an impact only on capabilities I suggest keeping it as it is right now and extending that in the next PR :) Especially as long capabilities are only boolean and will not contain enum values.
import { IReadOnlyService } from './types'; | ||
|
||
export class ReadonlyService implements IReadOnlyService { | ||
async isReadonly(request: OpenSearchDashboardsRequest): Promise<boolean> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems isReadonly
method currently always returns false and the hideForReadonly
method will always return the capabilites
argument as-is, without merging it with hideCapabilities. Seems to me that these functions are redundant or unnecessary. Is the current isReadonly method a placeholder, intended to be overridden or expanded upon in the future? should we add a comment on them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ananzh purpose is to keep working even without security-plugin
(btw. here is an extension of the implementation https://github.com/opensearch-project/security-dashboards-plugin/pull/14720). For more context please follow opensearch-project/security#2701 (comment)
Co-authored-by: Anan Zhuang <ananzh@amazon.com> Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl>
* merge conflict resolved * Restore config/opensearch_dashboards.yml * Fix capabilities tsc * docs: read only tenant mode * feat: introduce security service in core and readonly service * fix: adds securityServiceMock * feat: adds tests and default default readonly service * docs: fill up docs for read only tenant mode --------- Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net> Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl> Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com> Co-authored-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net> Co-authored-by: Kajetan Nobel <k.nobel@routegroup.pl> Co-authored-by: Peter Nied <peternied@hotmail.com> Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com> Co-authored-by: Kajetan Nobel <kajetan.nobel@eliatra.com> Co-authored-by: Anan Zhuang <ananzh@amazon.com> (cherry picked from commit abc97ea) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
* merge conflict resolved * Restore config/opensearch_dashboards.yml * Fix capabilities tsc * docs: read only tenant mode * feat: introduce security service in core and readonly service * fix: adds securityServiceMock * feat: adds tests and default default readonly service * docs: fill up docs for read only tenant mode --------- Signed-off-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net> Signed-off-by: Kajetan Nobel <k.nobel@routegroup.pl> Signed-off-by: Kajetan Nobel <kajetan.nobel@eliatra.com> Co-authored-by: jakubp-eliatra <jakub.przybylski@theworkingroup.net> Co-authored-by: Kajetan Nobel <k.nobel@routegroup.pl> Co-authored-by: Peter Nied <peternied@hotmail.com> Co-authored-by: Ashwin P Chandran <ashwinpc@amazon.com> Co-authored-by: Kajetan Nobel <kajetan.nobel@eliatra.com> Co-authored-by: Anan Zhuang <ananzh@amazon.com> (cherry picked from commit abc97ea) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
Adds a proper read only mode support for read only tenants.
A new capability hide_for_read_only as array is utilized to recognize the capabilities which should be disable in read only mode. If a read only tenant is recognized the capabilities associated with writing access such as 'createNew' and 'saveQuery' are then set to false.
Issues Resolved
This is a complementary PR for: opensearch-project/security-dashboards-plugin#1472, related with issues here: opensearch-project/security#2701
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr