Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Integration Test to confirm Core Change to Fix Search template request Auth #2921

Merged
merged 10 commits into from
Aug 16, 2023
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
import org.junit.Test;
import org.junit.runner.RunWith;

import org.opensearch.script.mustache.MustacheModulePlugin;
import org.opensearch.test.framework.TestSecurityConfig;
import org.opensearch.test.framework.TestSecurityConfig.Role;
import org.opensearch.test.framework.cluster.ClusterManager;
Expand Down Expand Up @@ -44,10 +45,15 @@ public class PrivilegesEvaluatorTest {
new Role("negated_regex_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("cluster_composite_ops")
);

protected final static TestSecurityConfig.User SEARCH_TEMPLATE = new TestSecurityConfig.User("search_template_user").roles(
new Role("search_template_role").indexPermissions("read").on("/^[a-z].*/").clusterPermissions("indices:data/read/search/template")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @derek-ho ! This change looks good to me. I only have one concern about breaking existing roles that are unknowingly working with the bug in place, but since it is a bug fix I think its alright to provide documentation on how to update a role to make it so that SearchTemplateRequests are working properly. I also think it is worthwhile to modify the cluster_composite_ops_ro static action group to include search template and msearch template.

To be clear, the role below allows SearchTemplateRequests to work even with the bug in place:

search_all:
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

and after this change the role would need to be changed to:

search_all:
  cluster_permissions:
    - "indices:data/read/search/template" or "cluster_composite_ops_ro" <- action group containing the underlying cluster perm
  index_permissions:
    - index_patterns:
        - "*"
      allowed_actions:
        - "read"

With the bug in place the following role would not permit search template requests to work properly

logs_search:
  index_permissions:
    - index_patterns:
        - "logs-*"
      allowed_actions:
        - "read"

but that would be achievable now with the following role definition:

logs_search:
  cluster_permissions:
    - "indices:data/read/search/template"
  index_permissions:
    - index_patterns:
        - "logs-*"
      allowed_actions:
        - "read"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can make the change for 2.x since it will be a breaking change. While it is an edge case, I don't think it matters if it is for a bug fix or not. Unless I am mistaken, semantic versioning would dictate we wait until 3.0 to make this available.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove the clusterPermissions section for this role?

);

@ClassRule
public static LocalCluster cluster = new LocalCluster.Builder().clusterManager(ClusterManager.THREE_CLUSTER_MANAGERS)
.plugin(MustacheModulePlugin.class)
.authc(AUTHC_HTTPBASIC_INTERNAL)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX)
.users(NEGATIVE_LOOKAHEAD, NEGATED_REGEX, SEARCH_TEMPLATE)
.build();

@Test
Expand All @@ -68,4 +74,17 @@ public void testRegexPattern() throws Exception {
}

}

@Test
public void testSearchTemplateRequest() {
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before adding search template into isClusterPerm function this would fail since it would come back with a 403 response code

try (TestRestClient client = cluster.getRestClient(SEARCH_TEMPLATE)) {
assertThat(
client.getWithJsonBody(
"r*/_search/template",
"{\"source\":{\"query\":{\"match\":{\"service\":\"{{service_name}}\"}}},\"params\":{\"service_name\":\"Oracle\"}}"
).getStatusCode(),
equalTo(HttpStatus.SC_OK)
);
}
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@
import org.opensearch.core.common.Strings;
import org.opensearch.core.xcontent.NamedXContentRegistry;
import org.opensearch.index.reindex.ReindexAction;
import org.opensearch.script.mustache.SearchTemplateAction;
import org.opensearch.security.auditlog.AuditLog;
import org.opensearch.security.configuration.ClusterInfoHolder;
import org.opensearch.security.configuration.ConfigurationRepository;
Expand Down Expand Up @@ -671,8 +672,7 @@ public static boolean isClusterPerm(String action0) {
|| (action0.startsWith(MultiSearchAction.NAME))
|| (action0.equals(MultiTermVectorsAction.NAME))
|| (action0.equals(ReindexAction.NAME))

);
|| (action0.equals(SearchTemplateAction.NAME)));
}

@SuppressWarnings("unchecked")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,11 +23,13 @@ public void testClusterPerm() {
String writeIndex = "indices:data/write/reindex";
String adminClose = "indices:admin/close";
String monitorUpgrade = "indices:monitor/upgrade";
String searchTemplate = "indices:data/read/search/template";

// Cluster Permissions
assertTrue(isClusterPerm(multiSearchTemplate));
assertTrue(isClusterPerm(writeIndex));
assertTrue(isClusterPerm(monitorHealth));
assertTrue(isClusterPerm(searchTemplate));

// Index Permissions
assertFalse(isClusterPerm(adminClose));
Expand Down