Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initialize api tokens index if it doesn't exist #4899

Closed

Conversation

derek-ho
Copy link
Collaborator

@derek-ho derek-ho commented Nov 13, 2024

Description

Initializes a new index for API tokens if it doesn't exist

Issues Resolved

Closes: #4900

Is this a backport? If so, please add backport PR # and/or commits #, and remove backport-failed label from the original PR.

Do these changes introduce new permission(s) to be displayed in the static dropdown on the front-end? If so, please open a draft PR in the security dashboards plugin and link the draft PR here

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Copy link

codecov bot commented Nov 13, 2024

Codecov Report

Attention: Patch coverage is 88.88889% with 1 line in your changes missing coverage. Please review.

Project coverage is 71.43%. Comparing base (3c635c9) to head (b8adfb1).

Files with missing lines Patch % Lines
...ecurity/configuration/ConfigurationRepository.java 88.88% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                 Coverage Diff                 @@
##           feature/api-tokens    #4899   +/-   ##
===================================================
  Coverage               71.43%   71.43%           
===================================================
  Files                     334      334           
  Lines                   22509    22511    +2     
  Branches                 3582     3582           
===================================================
+ Hits                    16079    16081    +2     
- Misses                   4638     4639    +1     
+ Partials                 1792     1791    -1     
Files with missing lines Coverage Δ
...g/opensearch/security/support/ConfigConstants.java 95.23% <ø> (ø)
...ecurity/configuration/ConfigurationRepository.java 76.69% <88.88%> (-0.21%) ⬇️

... and 3 files with indirect coverage changes

Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho derek-ho requested review from cwperks and DarshitChanpura and removed request for cwperks and DarshitChanpura November 13, 2024 20:51
public void createApiTokenIndex() {
try {
// wait for the cluster here until it will finish managed node election
while (clusterService.state().blocks().hasGlobalBlockWithStatus(RestStatus.SERVICE_UNAVAILABLE)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need this block?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is necessary as without it we could try to create an index before the cluster is ready to handle this request. @DarshitChanpura @cwperks Do you folks think we still need this check though? As that check should already be performed by the creation of the opendistro_security index, depending on the value of "plugins.security.allow_default_init_securityindex" setting. In any case I was just taking inspiration from the creation of the opendistro_security index.


try {
final ThreadContext threadContext = threadPool.getThreadContext();
try (StoredContext ctx = threadContext.stashContext()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need to explicitly stashContext here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like the above, this is taken from the creation of opendistro_security index, which I assume has this to handle edge cases since the security index may not be initialized yet. Again not completely sure if its needed but I think it is fine?

Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
Signed-off-by: Derek Ho <dxho@amazon.com>
@@ -201,8 +202,8 @@ private void initalizeClusterConfiguration(final boolean installDefaultConfig) {
try (StoredContext ctx = threadContext.stashContext()) {
threadContext.putHeader(ConfigConstants.OPENDISTRO_SECURITY_CONF_REQUEST_HEADER, "true");

createSecurityIndexIfAbsent();
waitForSecurityIndexToBeAtLeastYellow();
createIndexIfAbsent(securityIndex);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this class should be reserved for initializing the security index. The security index will always need to be created on bootstrap.

For most plugins, I believe they create a system index when its needed if it doesn't exist instead of creating it on bootstrap. i.e. A user tries to issue an auth token and security tries to store the metadata, but the index doesn't exist so create it at that time.

See this class from AD plugin: https://github.com/opensearch-project/anomaly-detection/blob/main/src/main/java/org/opensearch/ad/indices/ADIndexManagement.java

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure this approach makes sense too. I also thought of this approach at first, but thought that it will add too much overhead to try and create this index for every request if it doesn't exist. However, we can limit this to index operations (create, revoke, etc.), and do not need to perform this for every authC request. I will try to do it this way instead.

@derek-ho
Copy link
Collaborator Author

@derek-ho derek-ho closed this Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants