Skip to content

Commit

Permalink
Allow system to perform actions on system indices
Browse files Browse the repository at this point in the history 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
  • Loading branch information
@cwperks
cwperks committed Nov 21, 2024
1 parent fb2cbb0 commit d48afcf
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 2 deletions.
9 changes: 8 additions & 1 deletion .../system-index-protection/src/main/java/org/opensearch/index/filter/SystemIndexFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.opensearch.core.rest.RestStatus;
import org.opensearch.indices.SystemIndexRegistry;
import org.opensearch.tasks.Task;
import org.opensearch.threadpool.ThreadPool;

import java.util.ArrayList;
import java.util.List;
Expand All @@ -27,9 +28,11 @@ public class SystemIndexFilter implements ActionFilter {

private final IndexResolverReplacer indexResolverReplacer;
private final WildcardMatcher deniedActionsMatcher;
private final ThreadPool threadPool;

public SystemIndexFilter(final IndexResolverReplacer indexResolverReplacer) {
public SystemIndexFilter(final IndexResolverReplacer indexResolverReplacer, final ThreadPool threadPool) {
this.indexResolverReplacer = indexResolverReplacer;
this.threadPool = threadPool;

final List<String> deniedActionPatternsList = deniedActionPatterns();

Expand Down Expand Up @@ -63,6 +66,10 @@ public <Request extends ActionRequest, Response extends ActionResponse> void app
ActionListener<Response> listener,
ActionFilterChain<Request, Response> chain
) {
if (threadPool.getThreadContext().isSystemContext()) {
chain.proceed(task, action, request, listener);
return;
}
if (deniedActionsMatcher.test(action)) {
final IndexResolverReplacer.Resolved resolved = indexResolverReplacer.resolveRequest(request);
final Set<String> allIndices = resolved.getAllIndices();
Expand Down
2 changes: 1 addition & 1 deletion ...otection/src/main/java/org/opensearch/plugin/systemindex/SystemIndexProtectionPlugin.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ public Collection<Object> createComponents(

final IndexNameExpressionResolver resolver = new IndexNameExpressionResolver(threadPool.getThreadContext());
irr = new IndexResolverReplacer(resolver, clusterService::state, cih);
sif = new SystemIndexFilter(irr);
sif = new SystemIndexFilter(irr, localClient.threadPool());
return Collections.emptySet();
}

Expand Down
2 changes: 2 additions & 0 deletions server/src/main/java/org/opensearch/client/OriginSettingClient.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,8 @@ protected <Request extends ActionRequest, Response extends ActionResponse> void
() -> in().threadPool().getThreadContext().stashWithOrigin(origin)
)
) {
ThreadContext threadContext = in().threadPool().getThreadContext();
ThreadContextAccess.doPrivilegedVoid(threadContext::markAsSystemContext);
super.doExecute(action, request, new ContextPreservingActionListener<>(supplier, listener));
}
}
Expand Down

0 comments on commit d48afcf

Please sign in to comment.