[DRAFT] [Feature] Introduces resource sharing and access-control #4746
Conversation
| return services; | ||
| } | ||
|
|
||
| public static class GuiceHolder implements LifecycleComponent { |
There was a problem hiding this comment.
This GuiceHolder pattern from the security plugin is IMHO only a hack to get access to dependencies which are available via dependency injection, but not via the createComponents() API in the Plugin interface. The un-hackish way to give plugins access to ResourceService would be to add it to the param list of createComponents().
|
Resource-sharing index gets created successfully upon first cluster start: and subsequent starts show that the index is present: Sample Resource Plugin loaded successfully: |
DarshitChanpura
changed the base branch from
main
to
feature/resource-permissions
|
Moved sample resource plugin code to a separate PR: #4893 |
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
resource-access-control
branch
from
bdb5d4e to
b019547
Compare
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
force-pushed
the
resource-access-control
branch
from
b019547 to
45b002e
Compare
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
| node_modules/ | ||
| package-lock.json |
There was a problem hiding this comment.
it was automatically added. But we don't add node_modules and package-lock since we don't have any front-end components in this project.
| @@ -345,6 +345,7 @@ private <Request extends ActionRequest, Response extends ActionResponse> void ap | |||
| log.info("Transport auth in passive mode and no user found. Injecting default user"); | |||
| user = User.DEFAULT_TRANSPORT_USER; | |||
| threadContext.putTransient(ConfigConstants.OPENDISTRO_SECURITY_USER, user); | |||
| threadContext.putPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER, user); | |||
There was a problem hiding this comment.
I noticed a few of these putPersistent being added. I do not know the full context, but is there any security implications with putting it in persistently? For example maybe stashing the context wouldn't work if the user is persisted into the threadcontext. Any ideas on this usage @cwperks ?
There was a problem hiding this comment.
I want to add the same code in #4896. I added the notion of persistent TC headers in the core a while ago with the intent that these headers are not stashable and I'd like to move to the authenticated user as a non-stashable header.
Its added here because Security is adding an IndexOperationListener on the resourceIndex and the ThreadContext has already been stashed by the sample plugin so that it can write to the resourceIndex. By adding this call here, @DarshitChanpura is guaranteed that he can read the userinfo from the TC inside the IndexOperationListener.
I believe the postIndex hook is running within the same block as the IndexRequest to the resourceIndex.
There was a problem hiding this comment.
+1 to @cwperks answer. User names are particularly required when creating or listing resources. This would ensure that a user who is current context-user is always present and thus not result in null value. At some point in future, the putTransient calls will be removed completely.
| public void createResourceSharingIndexIfAbsent() { | ||
| // TODO check if this should be wrapped in an atomic completable future | ||
|
|
||
| this.resourceSharingIndexHandler.createResourceSharingIndexIfAbsent(() -> null); |
There was a problem hiding this comment.
Do we need this () -> null
There was a problem hiding this comment.
it's callback functionality. Its not used currently but was added in case there were any listeners or related items are to be added.
| private static final ResourceSharingIndexListener INSTANCE = new ResourceSharingIndexListener(); | ||
| private ResourceSharingIndexHandler resourceSharingIndexHandler; | ||
|
|
||
| private boolean initialized; |
There was a problem hiding this comment.
Can we not use this extra boolean and just base it on the indexlistener itself?
There was a problem hiding this comment.
Its to ensure that ReosurceSharingIndexListener is only initialized once.
|
|
||
| boolean success = this.resourceSharingIndexHandler.deleteResourceSharingRecord(resourceId, resourceIndex); | ||
| if (success) { | ||
| log.info("Successfully deleted resource sharing entries for resource {}", resourceId); |
There was a problem hiding this comment.
Nit. Should this be singular since there would only be one resource sharing entry for each resource?
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
| @@ -2082,6 +2127,7 @@ public Collection<Class<? extends LifecycleComponent>> getGuiceServiceClasses() | |||
|
|
|||
| final List<Class<? extends LifecycleComponent>> services = new ArrayList<>(1); | |||
| services.add(GuiceHolder.class); | |||
| log.info("Guice service classes loaded"); | |||
There was a problem hiding this comment.
Do we want to change this to something lower like debug?
There was a problem hiding this comment.
Good catch. I will remove it.
| return Collections.singletonList(systemIndexDescriptor); | ||
| final SystemIndexDescriptor securityIndexDescriptor = new SystemIndexDescriptor(indexPattern, "Security index"); | ||
| final SystemIndexDescriptor resourceSharingIndexDescriptor = new SystemIndexDescriptor( | ||
| ConfigConstants.OPENSEARCH_RESOURCE_SHARING_INDEX, |
There was a problem hiding this comment.
Nit: Do we want to add a TODO to support custom resource sharing names?
There was a problem hiding this comment.
Not right now no. Maybe in the next iteration if there is a request for it.
| String resourceIndex = resourcePlugin.getResourceIndex(); | ||
|
|
||
| this.indicesToListen.add(resourceIndex); | ||
| log.info("Preparing to listen to index: {} of plugin: {}", resourceIndex, resourcePlugin); |
There was a problem hiding this comment.
Changed it to warn. Good catch.
| if (areArgumentsInvalid(resourceIndex, clazz)) { | ||
| return Collections.emptySet(); | ||
| } | ||
| final User user = threadContext.getPersistent(ConfigConstants.OPENDISTRO_SECURITY_USER); |
There was a problem hiding this comment.
Why are we putting this persistently here?
There was a problem hiding this comment.
Is it to access the system index within the handler?
There was a problem hiding this comment.
This is to get user which is then used when creating a resource or listing resources. Without this the values may be null.
| if (adminDNs.isAdmin(user)) { | ||
| return true; | ||
| } |
There was a problem hiding this comment.
I don't know if this design decision has already been made, but at least with tenancy there is a concept of a private tenant, which can contain private work/shouldn't be accessible to other people (except for I guess super admin which can search the index directly), do we have any plans to implement a similar feature here?
There was a problem hiding this comment.
adminDNs is super-admin, AFAIK
There was a problem hiding this comment.
non-super-admin will not be able to access these resources.
| LOGGER.info("User {} revoking access to resource {} for {} for scopes {} ", user.getName(), resourceId, revokeAccess, scopes); | ||
|
|
||
| // check if user is admin, if yes the user has permission | ||
| boolean isAdmin = adminDNs.isAdmin(user); |
There was a problem hiding this comment.
do we want to split this out into a utility function such as hasAdminLevelAcess? Maybe there are additional use cases that we want to support here, such as a "super" role, and not just based on the DN... wdyt?
There was a problem hiding this comment.
This here is specific to super-admin. All "super" roles will require user to have the resource shared with them with that scope.
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
This is a WIP. Will flip to ready for review once test cases are added. |
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
DarshitChanpura
changed the base branch from
feature/resource-permissions
to
main
DarshitChanpura
changed the base branch from
main
to
feature/resource-permissions
Signed-off-by: Darshit Chanpura <dchanp@amazon.com>
companion PR: opensearch-project/OpenSearch#16030
Description
Introduces a new authorization mechanism to control access to resources defined by plugins.
This PR also introduces a sample resource plugin to show the APIs in action.
Issues Resolved
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.