-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Integration Test to confirm Core Change to Fix Search template request Auth #2921
Add Integration Test to confirm Core Change to Fix Search template request Auth #2921
Conversation
…ices you have access to Signed-off-by: Derek Ho <dxho@amazon.com>
Codecov Report
@@ Coverage Diff @@
## main #2921 +/- ##
============================================
+ Coverage 62.42% 62.45% +0.03%
- Complexity 3352 3354 +2
============================================
Files 254 254
Lines 19749 19749
Branches 3334 3334
============================================
+ Hits 12329 12335 +6
+ Misses 5788 5785 -3
+ Partials 1632 1629 -3 |
Signed-off-by: Derek Ho <dxho@amazon.com>
@@ -68,4 +73,11 @@ public void testRegexPattern() throws Exception { | |||
} | |||
|
|||
} | |||
|
|||
@Test | |||
public void testSearchTemplateRequest() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before adding search template into isClusterPerm function this would fail since it would come back with a 403 response code
@@ -44,10 +45,15 @@ public class PrivilegesEvaluatorTest { | |||
new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops") | |||
); | |||
|
|||
protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( | |||
new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @derek-ho ! This change looks good to me. I only have one concern about breaking existing roles that are unknowingly working with the bug in place, but since it is a bug fix I think its alright to provide documentation on how to update a role to make it so that SearchTemplateRequests are working properly. I also think it is worthwhile to modify the cluster_composite_ops_ro
static action group to include search template and msearch template.
To be clear, the role below allows SearchTemplateRequests to work even with the bug in place:
search_all:
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "read"
and after this change the role would need to be changed to:
search_all:
cluster_permissions:
- "indices:data/read/search/template" or "cluster_composite_ops_ro" <- action group containing the underlying cluster perm
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "read"
With the bug in place the following role would not permit search template requests to work properly
logs_search:
index_permissions:
- index_patterns:
- "logs-*"
allowed_actions:
- "read"
but that would be achievable now with the following role definition:
logs_search:
cluster_permissions:
- "indices:data/read/search/template"
index_permissions:
- index_patterns:
- "logs-*"
allowed_actions:
- "read"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can make the change for 2.x since it will be a breaking change. While it is an edge case, I don't think it matters if it is for a bug fix or not. Unless I am mistaken, semantic versioning would dictate we wait until 3.0 to make this available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you remove the clusterPermissions
section for this role?
@shikharj05 FYI this PR is related to a bug |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a good contribution @derek-ho. I don't believe we will be able to backport this to 2.x however since it will cause a breaking change and despite the niche case we should be strict in adherence to semantic versioning. Looks good to me after you are able to resolve Craig's comments.
@@ -44,10 +45,15 @@ public class PrivilegesEvaluatorTest { | |||
new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops") | |||
); | |||
|
|||
protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles( | |||
new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can make the change for 2.x since it will be a breaking change. While it is an edge case, I don't think it matters if it is for a bug fix or not. Unless I am mistaken, semantic versioning would dictate we wait until 3.0 to make this available.
Gentle bump on this one, @derek-ho. Are you still intending to merge this one? |
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
src/integrationTest/java/org/opensearch/security/privileges/PrivilegesEvaluatorTest.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Derek Ho <dxho@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Going deep on these tests - last change before my approval, but you can still consider this nitpicking - can you make it clearer why the outcome of the test should be what it is?
I find the easiest format to follow is setup, action, and verification, what that could look like for testSearchTemplateRequestUnauthorizedAllIndices
might follow:
final String searchForAllTemplates = "_search/template";
final TestRestClient client = cluster.getRestClient(ONLY_SERVICES_INDEX_ACCESS));
final Request searchForAllTemplatesResponse = client.getWithJsonBody(searchForAllTemplates, TEST_QUERY);
assertThat(getAllTemplatesResponse.getStatusCode(), equalTo(HttpStatus.SC_FORBIDDEN))
@derek-ho This are integration tests, could you change the name of the pull request and update the description? |
Re-checking tests. How are the tests working without the index being created first?
…x-search-template
Signed-off-by: Derek Ho <dxho@amazon.com>
All tests pass on local after @cwperks's upstream change |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Thank you @derek-ho! 🚢
@willyborankin can you add 2.x backport label? The Core change was backported to 2.x: opensearch-project/OpenSearch#9275 |
@derek-ho done |
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-2921-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 bd084c89baff0312a1b11b961e8b850b68e83829
# Push it to GitHub
git push --set-upstream origin backport/backport-2921-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x Then, create a pull request where the |
The integration tests are not on 2.x so this does not need to be backported to 2.x. |
Adds integration test to verify change in core, allowing proper authorization of search template request
related to: #1678
Description
[Describe what this change achieves]
Issues Resolved
[List any issues this PR will resolve]
Is this a backport? If so, please add backport PR # and/or commits #
Testing
[Please provide details of testing done: unit testing, integration testing and manual testing]
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.