opensearch-project · cwperks · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 20, 2024
@@ -152,6 +152,7 @@ configure([
   project(":plugins:crypto-kms"),
   project(":qa:die-with-dignity"),
   project(":qa:wildfly"),
+  project(":sandbox:modules:system-index-protection"),
   project(":test:external-modules:test-delayed-aggs"),
   project(":test:fixtures:azure-fixture"),
   project(":test:fixtures:gcs-fixture"),

@@ -0,0 +1,30 @@
+import static org.opensearch.gradle.PropertyNormalization.IGNORE_VALUE
+
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+apply plugin: 'opensearch.yaml-rest-test'
+apply plugin: 'opensearch.internal-cluster-test'
+
+opensearchplugin {
+  description 'The System Index Protection Plugin provides native protection to system indices'
+  classname 'org.opensearch.plugin.systemindex.SystemIndexProtectionPlugin'
+}
+
+restResources {
+  restApi {
+    includeCore '_common', 'indices', 'index', 'get'
+  }
+}
+
+testClusters.yamlRestTest {
+  setting 'modules.system_index_protection.system_indices.enabled', 'true'
+}
@@ -0,0 +1,43 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.index.system;
+
+import org.opensearch.OpenSearchSecurityException;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.plugin.systemindex.SystemIndexProtectionPlugin;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.test.OpenSearchIntegTestCase;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+import static org.opensearch.tasks.TaskResultsService.TASK_INDEX;
+import static org.opensearch.test.hamcrest.OpenSearchAssertions.assertAcked;
+
+public class SystemIndexPluginIT extends OpenSearchIntegTestCase {
+
+    @Override
+    protected Collection<Class<? extends Plugin>> nodePlugins() {
+        return Arrays.asList(SystemIndexProtectionPlugin.class);
+    }
+
+    @Override
+    protected Settings nodeSettings(int nodeOrdinal) {
+        return Settings.builder()
+            .put(super.nodeSettings(nodeOrdinal))
+            .put(SystemIndexProtectionPlugin.SYSTEM_INDEX_PROTECTION_ENABLED_KEY, true)
+            .build();
+    }
+
+    public void testBasic() throws Exception {
+        assertAcked(prepareCreate(TASK_INDEX));
+        client().prepareDelete().setIndex(TASK_INDEX);
+        assertThrows(OpenSearchSecurityException.class, () -> { admin().indices().prepareDelete(TASK_INDEX).get(); });
+    }
+}
@@ -0,0 +1,42 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+package org.opensearch.index.system;
+
+import org.opensearch.OpenSearchSecurityException;
+import org.opensearch.action.admin.indices.delete.DeleteIndexRequestBuilder;
+import org.opensearch.common.settings.Settings;
+import org.opensearch.plugin.systemindex.SystemIndexProtectionPlugin;
+import org.opensearch.plugins.Plugin;
+import org.opensearch.test.OpenSearchSingleNodeTestCase;
+
+import java.util.Collection;
+
+import static org.opensearch.tasks.TaskResultsService.TASK_INDEX;
+
+public class SystemIndexProtectionTests extends OpenSearchSingleNodeTestCase {
+    @Override
+    protected Collection<Class<? extends Plugin>> getPlugins() {
+        return pluginList(SystemIndexProtectionPlugin.class);
+    }
+
+    @Override
+    protected Settings nodeSettings() {
+        return Settings.builder()
+            .put(super.nodeSettings())
+            .put(SystemIndexProtectionPlugin.SYSTEM_INDEX_PROTECTION_ENABLED_KEY, true)
+            .build();
+    }
+
+    public void testBasic() throws Exception {
+        createIndex(TASK_INDEX);
+        DeleteIndexRequestBuilder deleteIndexRequestBuilder = client().admin().indices().prepareDelete(TASK_INDEX);
+        assertThrows(OpenSearchSecurityException.class, deleteIndexRequestBuilder::get);
+    }
+
+}
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2015-2018 _floragunn_ GmbH
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+package org.opensearch.index.filter;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.opensearch.Version;
+import org.opensearch.cluster.ClusterChangedEvent;
+import org.opensearch.cluster.ClusterStateListener;
+import org.opensearch.cluster.node.DiscoveryNode;
+import org.opensearch.cluster.node.DiscoveryNodes;
+
+public class ClusterInfoHolder implements ClusterStateListener {
+
+    protected final Logger log = LogManager.getLogger(this.getClass());
+    private volatile DiscoveryNodes nodes = null;
+    private volatile Boolean isLocalNodeElectedClusterManager = null;
+    private volatile boolean initialized;
+    private final String clusterName;
+
+    public ClusterInfoHolder(String clusterName) {
+        this.clusterName = clusterName;
+    }
+
+    @Override
+    public void clusterChanged(ClusterChangedEvent event) {
+        if (nodes == null || event.nodesChanged()) {
+            nodes = event.state().nodes();
+            if (log.isDebugEnabled()) {
+                log.debug("Cluster Info Holder now initialized for 'nodes'");
+            }
+            initialized = true;
+        }
+
+        isLocalNodeElectedClusterManager = event.localNodeClusterManager() ? Boolean.TRUE : Boolean.FALSE;
+    }
+
+    public Boolean isLocalNodeElectedClusterManager() {
+        return isLocalNodeElectedClusterManager;
+    }
+
+    public boolean isInitialized() {
+        return initialized;
+    }
+
+    public Version getMinNodeVersion() {
+        if (nodes == null) {
+            if (log.isDebugEnabled()) {
+                log.debug("Cluster Info Holder not initialized yet for 'nodes'");
+            }
+            return null;
+        }
+
+        return nodes.getMinNodeVersion();
+    }
+
+    public Boolean hasNode(DiscoveryNode node) {
+        if (nodes == null) {
+            if (log.isDebugEnabled()) {
+                log.debug("Cluster Info Holder not initialized yet for 'nodes'");
+            }
+            return null;
+        }
+
+        return nodes.nodeExists(node) ? Boolean.TRUE : Boolean.FALSE;
+    }
+
+    public String getClusterName() {
+        return this.clusterName;
+    }
+}