Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DRAFT] [Feature] Introduces resource sharing and access-control #4746

Draft
wants to merge 22 commits into
base: feature/resource-permissions
Choose a base branch
from
+611 −18
Draft

[DRAFT] [Feature] Introduces resource sharing and access-control #4746

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
e87a32f
Add a base setup for resource access evaluation
DarshitChanpura Aug 30, 2024
78d4111
Merge remote-tracking branch 'upstream/main' into resource-access-con…
DarshitChanpura Sep 3, 2024
64c587b
Adds handler and other access management components for resource sharing
DarshitChanpura Sep 6, 2024
ca8469f
Adds sample resource plugin
DarshitChanpura Sep 6, 2024
01d55a4
Removes node_modules entry from gitingore
DarshitChanpura Sep 6, 2024
4c913de
Merge remote-tracking branch 'upstream/main' into resource-access-con…
DarshitChanpura Sep 11, 2024
fd8cfd1
Merge branch 'main' into resource-access-control
DarshitChanpura Oct 2, 2024
a84594f
Handles changes related to scope
DarshitChanpura Oct 4, 2024
044d625
Updates sample plugin to implement a custom scope
DarshitChanpura Oct 4, 2024
694e150
Fixes Checkstyle and spotless issues
DarshitChanpura Oct 4, 2024
7b927fd
Fixes initialization error
DarshitChanpura Oct 4, 2024
a395541
Renames sample resource plugin and adds a logger statement
DarshitChanpura Oct 4, 2024
f692bc1
Changes package name for sample plugin
DarshitChanpura Oct 4, 2024
8151697
Re-organizes and renames sample plugin files
DarshitChanpura Oct 4, 2024
117671c
Updates method references to conform to core
DarshitChanpura Oct 4, 2024
4d00642
Fixes compile errors
DarshitChanpura Oct 4, 2024
5213e6f
Fixes some names and method implementations
DarshitChanpura Oct 14, 2024
d0cc8a8
Adds few concrete method implementations in security plugin
DarshitChanpura Oct 14, 2024
d72f9c4
Adds capability to introduce index listeners for all resource plugins
DarshitChanpura Oct 15, 2024
9bae8cc
Removes sampleplugin to be added in a separate PR
DarshitChanpura Nov 11, 2024
26c5a67
Merge remote-tracking branch 'upstream/main' into resource-access-con…
DarshitChanpura Nov 11, 2024
bdb5d4e
Updates settings.gradle
DarshitChanpura Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,3 @@ out/
build/
gradle-build/
.gradle/

# nodejs
node_modules/
package-lock.json
93 changes: 80 additions & 13 deletions src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,16 +38,7 @@
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.*;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.BiFunction;
import java.util.function.Function;
Expand All @@ -68,6 +59,10 @@
import org.opensearch.OpenSearchSecurityException;
import org.opensearch.SpecialPermission;
import org.opensearch.Version;
import org.opensearch.accesscontrol.resources.EntityType;
import org.opensearch.accesscontrol.resources.ResourceService;
import org.opensearch.accesscontrol.resources.ResourceSharing;
import org.opensearch.accesscontrol.resources.ShareWith;
import org.opensearch.action.ActionRequest;
import org.opensearch.action.search.PitService;
import org.opensearch.action.search.SearchScrollAction;
Expand Down Expand Up @@ -120,6 +115,8 @@
import org.opensearch.plugins.IdentityPlugin;
import org.opensearch.plugins.MapperPlugin;
import org.opensearch.plugins.Plugin;
import org.opensearch.plugins.ResourceAccessControlPlugin;
import org.opensearch.plugins.ResourcePlugin;
import org.opensearch.plugins.SecureHttpTransportSettingsProvider;
import org.opensearch.plugins.SecureSettingsFactory;
import org.opensearch.plugins.SecureTransportSettingsProvider;
Expand Down Expand Up @@ -173,6 +170,10 @@
import org.opensearch.security.privileges.RestLayerPrivilegesEvaluator;
import org.opensearch.security.privileges.dlsfls.DlsFlsBaseContext;
import org.opensearch.security.resolver.IndexResolverReplacer;
import org.opensearch.security.resources.ResourceAccessHandler;
import org.opensearch.security.resources.ResourceManagementRepository;
import org.opensearch.security.resources.ResourceSharingIndexHandler;
import org.opensearch.security.resources.ResourceSharingIndexListener;
import org.opensearch.security.rest.DashboardsInfoAction;
import org.opensearch.security.rest.SecurityConfigUpdateAction;
import org.opensearch.security.rest.SecurityHealthAction;
Expand Down Expand Up @@ -230,9 +231,10 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
implements
ClusterPlugin,
MapperPlugin,
IdentityPlugin,
ResourceAccessControlPlugin,
// CS-SUPPRESS-SINGLE: RegexpSingleline get Extensions Settings
ExtensionAwarePlugin,
IdentityPlugin
ExtensionAwarePlugin
// CS-ENFORCE-SINGLE

{
Expand Down Expand Up @@ -268,6 +270,9 @@ public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin
private volatile OpensearchDynamicSetting<Boolean> transportPassiveAuthSetting;
private volatile PasswordHasher passwordHasher;
private volatile DlsFlsBaseContext dlsFlsBaseContext;
private ResourceManagementRepository rmr;
private ResourceAccessHandler resourceAccessHandler;
private final Set<String> indicesToListen = new HashSet<>();

public static boolean isActionTraceEnabled() {

Expand Down Expand Up @@ -708,6 +713,13 @@ public void onIndexModule(IndexModule indexModule) {
dlsFlsBaseContext
)
);

log.info("Indices to listen to: {}", this.indicesToListen);
if (this.indicesToListen.contains(indexModule.getIndex().getName())) {
indexModule.addIndexOperationListener(ResourceSharingIndexListener.getInstance());
log.warn("Security plugin started listening to operations on index {}", indexModule.getIndex().getName());
}

indexModule.forceQueryCacheProvider((indexSettings, nodeCache) -> new QueryCache() {

@Override
Expand Down Expand Up @@ -1191,6 +1203,12 @@ public Collection<Object> createComponents(
e.subscribeForChanges(dcf);
}

final var resourceSharingIndex = ConfigConstants.OPENSEARCH_RESOURCE_SHARING_INDEX;
ResourceSharingIndexHandler rsIndexHandler = new ResourceSharingIndexHandler(resourceSharingIndex, localClient, threadPool);
resourceAccessHandler = new ResourceAccessHandler(threadPool, rsIndexHandler, adminDns);

rmr = ResourceManagementRepository.create(settings, threadPool, localClient, rsIndexHandler);

components.add(adminDns);
components.add(cr);
components.add(xffResolver);
Expand Down Expand Up @@ -2065,6 +2083,18 @@ public void onNodeStarted(DiscoveryNode localNode) {
if (!SSLConfig.isSslOnlyMode() && !client && !disabled && !useClusterStateToInitSecurityConfig(settings)) {
cr.initOnNodeStart();
}

// create resource sharing index if absent
rmr.createResourceSharingIndexIfAbsent();

log.info("Loading resource plugins");
for (ResourcePlugin resourcePlugin : OpenSearchSecurityPlugin.GuiceHolder.getResourceService().listResourcePlugins()) {
String resourceIndex = resourcePlugin.getResourceIndex();

this.indicesToListen.add(resourceIndex);
log.info("Loaded resource plugin: {}, index: {}", resourcePlugin, resourceIndex);
}

final Set<ModuleInfo> securityModules = ReflectionHelper.getModulesLoaded();
log.info("{} OpenSearch Security modules loaded so far: {}", securityModules.size(), securityModules);
}
Expand Down Expand Up @@ -2166,12 +2196,43 @@ private void tryAddSecurityProvider() {
});
}

@Override
public List<String> listAccessibleResourcesInPlugin(String systemIndexName) {
return this.resourceAccessHandler.listAccessibleResourcesInPlugin(systemIndexName);
}

@Override
public boolean hasPermission(String resourceId, String systemIndexName, String scope) {
return this.resourceAccessHandler.hasPermission(resourceId, systemIndexName, scope);
}

@Override
public ResourceSharing shareWith(String resourceId, String systemIndexName, ShareWith shareWith) {
return this.resourceAccessHandler.shareWith(resourceId, systemIndexName, shareWith);
}

@Override
public ResourceSharing revokeAccess(String resourceId, String systemIndexName, Map<EntityType, List<String>> entities) {
return this.resourceAccessHandler.revokeAccess(resourceId, systemIndexName, entities);
}

@Override
public boolean deleteResourceSharingRecord(String resourceId, String systemIndexName) {
return this.resourceAccessHandler.deleteResourceSharingRecord(resourceId, systemIndexName);
}

@Override
public boolean deleteAllResourceSharingRecordsForCurrentUser() {
return this.resourceAccessHandler.deleteAllResourceSharingRecordsForCurrentUser();
}

public static class GuiceHolder implements LifecycleComponent {

private static RepositoriesService repositoriesService;
private static RemoteClusterService remoteClusterService;
private static IndicesService indicesService;
private static PitService pitService;
private static ResourceService resourceService;

// CS-SUPPRESS-SINGLE: RegexpSingleline Extensions manager used to allow/disallow TLS connections to extensions
private static ExtensionsManager extensionsManager;
Expand All @@ -2182,13 +2243,15 @@ public GuiceHolder(
final TransportService remoteClusterService,
IndicesService indicesService,
PitService pitService,
ExtensionsManager extensionsManager
ExtensionsManager extensionsManager,
ResourceService resourceService
) {
GuiceHolder.repositoriesService = repositoriesService;
GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
GuiceHolder.indicesService = indicesService;
GuiceHolder.pitService = pitService;
GuiceHolder.extensionsManager = extensionsManager;
GuiceHolder.resourceService = resourceService;
}
// CS-ENFORCE-SINGLE

Expand All @@ -2214,6 +2277,10 @@ public static ExtensionsManager getExtensionsManager() {
}
// CS-ENFORCE-SINGLE

public static ResourceService getResourceService() {
return resourceService;
}

@Override
public void close() {}

Expand Down
Loading
Loading