Point in time security changes

Signed-off-by: Bharathwaj G <[email protected]>
opensearch-project · Sep 19, 2022 · 0e0affc · 0e0affc
1 parent 7f992eb
commit 0e0affc
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 9 deletions.
diff --git a/config/roles.yml b/config/roles.yml
@@ -246,3 +246,12 @@ snapshot_management_read_access:
     - 'cluster:admin/opensearch/snapshot_management/policy/explain'
     - 'cluster:admin/repository/get'
     - 'cluster:admin/snapshot/get'
+
+# Allows user to use point in time functionality
+point_in_time_full_access:
+  reserved: true
+  index_permissions:
+    - index_patterns:
+        - '*'
+      allowed_actions:
+        - 'manage_point_in_time'
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -66,6 +66,7 @@
 import org.opensearch.Version;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.ActionResponse;
+import org.opensearch.action.search.PitService;
 import org.opensearch.action.search.SearchScrollAction;
 import org.opensearch.action.support.ActionFilter;
 import org.opensearch.client.Client;
@@ -1161,12 +1162,15 @@ public static class GuiceHolder implements LifecycleComponent {
         private static RemoteClusterService remoteClusterService;
         private static IndicesService indicesService;
 
+        private static PitService pitService;
+
         @Inject
         public GuiceHolder(final RepositoriesService repositoriesService,
-                final TransportService remoteClusterService, IndicesService indicesService) {
+                final TransportService remoteClusterService, IndicesService indicesService, PitService pitService) {
             GuiceHolder.repositoriesService = repositoriesService;
             GuiceHolder.remoteClusterService = remoteClusterService.getRemoteClusterService();
             GuiceHolder.indicesService = indicesService;
+            GuiceHolder.pitService = pitService;
         }
 
         public static RepositoriesService getRepositoriesService() {
@@ -1180,6 +1184,8 @@ public static RemoteClusterService getRemoteClusterService() {
         public static IndicesService getIndicesService() {
             return indicesService;
         }
+
+        public static PitService getPitService() { return pitService; }
 
         @Override
         public void close() {

diff --git a/src/main/java/org/opensearch/security/privileges/PitPrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PitPrivilegesEvaluator.java
@@ -0,0 +1,101 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+package org.opensearch.security.privileges;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+
+import org.opensearch.action.ActionRequest;
+import org.opensearch.action.admin.indices.segments.PitSegmentsRequest;
+import org.opensearch.action.search.DeletePitRequest;
+import org.opensearch.action.search.GetAllPitNodesRequest;
+import org.opensearch.action.search.GetAllPitNodesResponse;
+import org.opensearch.action.search.ListPitInfo;
+import org.opensearch.action.search.SearchRequest;
+import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
+import org.opensearch.cluster.service.ClusterService;
+import org.opensearch.security.OpenSearchSecurityPlugin;
+import org.opensearch.security.resolver.IndexResolverReplacer;
+import org.opensearch.security.securityconf.SecurityRoles;
+import org.opensearch.security.user.User;
+
+
+/**
+ * This class evaluates privileges for point in time (Delete and List all) operations
+ */
+public class PitPrivilegesEvaluator {
+
+    public PrivilegesEvaluatorResponse evaluate(final ActionRequest request, final ClusterService clusterService,
+                                                final User user, final SecurityRoles securityRoles, final String action,
+                                                final IndexNameExpressionResolver resolver,
+                                                final PrivilegesEvaluatorResponse presponse) {
+        List<String> pitIds = new ArrayList<>();
+        if (request instanceof DeletePitRequest) {
+            DeletePitRequest deletePitRequest = (DeletePitRequest) request;
+            pitIds = deletePitRequest.getPitIds();
+        } else if(request instanceof PitSegmentsRequest) {
+            PitSegmentsRequest pitSegmentsRequest = (PitSegmentsRequest) request;
+            pitIds = pitSegmentsRequest.getPitIds();
+        }
+        // if request is for all PIT IDs, skip custom pit ids evaluation
+        if (pitIds.size() == 1 && "_all".equals(pitIds.get(0))) {
+            return presponse;
+        } else {
+            return handlePitsAccess(pitIds, clusterService, user, securityRoles,
+                    action, resolver, presponse);
+        }
+
+        return presponse;
+    }
+
+    /**
+     * Handle access for delete operation / pit segments operation where PIT IDs are explicitly passed
+     */
+    private PrivilegesEvaluatorResponse handlePitsAccess(List<String> pitIds, ClusterService clusterService,
+                                                         User user, SecurityRoles securityRoles, final String action,
+                                                         IndexNameExpressionResolver resolver, PrivilegesEvaluatorResponse presponse) {
+        Map<String, String[]> pitToIndicesMap = OpenSearchSecurityPlugin.
+                GuiceHolder.getPitService().getIndicesForPits(pitIds);
+        Set<String> pitIndices = new HashSet<>();
+        // add indices across all PITs to a set and evaluate if user has access to all indices
+        for(String[] indices: pitToIndicesMap.values()) {
+            pitIndices.addAll(Arrays.asList(indices));
+        }
+        Set<String> allPermittedIndices = getPermittedIndices(pitIndices, clusterService, user,
+                securityRoles, action, resolver);
+        // Only if user has access to all PIT's indices, allow operation, otherwise continue evaluation in PrivilegesEvaluator.
+        if(pitIndices.size() == allPermittedIndices.size()) {
+            presponse.allowed = true;
+            presponse.markComplete();
+        }
+        return presponse;
+    }
+
+    /**
+     * This method returns list of permitted indices for the PIT indices passed
+     */
+    private Set<String> getPermittedIndices(Set<String> pitIndices, ClusterService clusterService,
+                                            User user, SecurityRoles securityRoles, final String action,
+                                            IndexNameExpressionResolver resolver) {
+        final ImmutableSet<String> pitImmutableIndices = ImmutableSet.copyOf(pitIndices);
+        final IndexResolverReplacer.Resolved pitResolved =
+                new IndexResolverReplacer.Resolved(pitImmutableIndices, pitImmutableIndices, pitImmutableIndices,
+                        ImmutableSet.of(), SearchRequest.DEFAULT_INDICES_OPTIONS);
+        return securityRoles.reduce(pitResolved,
+                user, new String[]{action}, resolver, clusterService);
+    }
+}
diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -130,6 +130,7 @@ public class PrivilegesEvaluator {
     private final SecurityIndexAccessEvaluator securityIndexAccessEvaluator;
     private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
     private final TermsAggregationEvaluator termsAggregationEvaluator;
+    private final PitPrivilegesEvaluator pitPrivilegesEvaluator;
     private final boolean dlsFlsEnabled;
     private final boolean dfmEmptyOverwritesAll;
     private DynamicConfigModel dcm;
@@ -158,6 +159,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool
         securityIndexAccessEvaluator = new SecurityIndexAccessEvaluator(settings, auditLog, irr);
         protectedIndexAccessEvaluator = new ProtectedIndexAccessEvaluator(settings, auditLog);
         termsAggregationEvaluator = new TermsAggregationEvaluator();
+        pitPrivilegesEvaluator = new PitPrivilegesEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
         this.dlsFlsEnabled = dlsFlsEnabled;
         this.dfmEmptyOverwritesAll = settings.getAsBoolean(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false);
@@ -282,6 +284,12 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
             return presponse;
         }
 
+        // check access for point in time requests
+        if(pitPrivilegesEvaluator.evaluate(request, clusterService, user, securityRoles,
+                action0, resolver, presponse).isComplete()) {
+            return presponse;
+        }
+
         final boolean dnfofEnabled = dcm.isDnfofEnabled();
 
         final boolean isTraceEnabled = log.isTraceEnabled();

diff --git a/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java b/src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java
@@ -370,11 +370,11 @@ public final static class Resolved {
         private final boolean isLocalAll;
         private final IndicesOptions indicesOptions;
 
-        private Resolved(final ImmutableSet<String> aliases,
-                         final ImmutableSet<String> allIndices,
-                         final ImmutableSet<String> originalRequested,
-                         final ImmutableSet<String> remoteIndices,
-                         IndicesOptions indicesOptions) {
+        public Resolved(final ImmutableSet<String> aliases,
+                        final ImmutableSet<String> allIndices,
+                        final ImmutableSet<String> originalRequested,
+                        final ImmutableSet<String> remoteIndices,
+                        IndicesOptions indicesOptions) {
             this.aliases = aliases;
             this.allIndices = allIndices;
             this.originalRequested = originalRequested;

diff --git a/src/main/resources/static_config/static_action_groups.yml b/src/main/resources/static_config/static_action_groups.yml
@@ -233,8 +233,9 @@ manage_point_in_time:
   static: true
   allowed_actions:
     - "indices:data/read/point_in_time/create"
-    - "cluster:admin/point_in_time/delete"
-    - "cluster:admin/point_in_time/read*"
+    - "indices:data/read/point_in_time/delete"
+    - "indices:data/read/point_in_time/readall"
+    - "indices:data/read/search"
     - "indices:monitor/point_in_time/segments"
-  type: "cluster"
+  type: "index"
   description: "Manage point in time actions"