Introduce dfm_empty_overrides_all setting to enable role without dls/…

…fls to override roles with dls/fls Signed-off-by: cliu123 <[email protected]>
opensearch-project · Apr 1, 2022 · 1bde700 · 1bde700
1 parent 409ba02
commit 1bde700
Show file tree

Hide file tree

Showing 11 changed files with 470 additions and 178 deletions.
diff --git a/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java b/src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
@@ -30,45 +30,7 @@
 
 package org.opensearch.security;
 
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.LinkOption;
-import java.nio.file.Path;
-import java.nio.file.attribute.PosixFilePermission;
-import java.security.AccessController;
-import java.security.MessageDigest;
-import java.security.PrivilegedAction;
-import java.security.Security;
-import java.util.*;
-import java.util.function.Function;
-import java.util.function.Predicate;
-import java.util.function.Supplier;
-import java.util.function.UnaryOperator;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import org.opensearch.security.auditlog.NullAuditLog;
-import org.opensearch.security.auditlog.impl.AuditLogImpl;
-import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl;
-import org.opensearch.security.configuration.DlsFlsValveImpl;
-import org.opensearch.security.configuration.SecurityFlsDlsIndexSearcherWrapper;
-import org.opensearch.security.configuration.PrivilegesInterceptorImpl;
-import org.opensearch.security.configuration.Salt;
-import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
-import org.opensearch.security.filter.SecurityRestFilter;
-import org.opensearch.security.http.SecurityHttpServerTransport;
-import org.opensearch.security.rest.SecurityConfigUpdateAction;
-import org.opensearch.security.rest.SecurityWhoAmIAction;
-import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
-import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction;
-import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction;
-import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
-import org.opensearch.security.transport.SecurityInterceptor;
-import org.opensearch.security.setting.OpensearchDynamicSetting;
-import org.opensearch.security.setting.TransportPassiveAuthSetting;
-
-import org.slf4j.LoggerFactory;
-import org.slf4j.Logger;
+import com.google.common.collect.Lists;
 import org.apache.lucene.search.QueryCachingPolicy;
 import org.apache.lucene.search.Weight;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -92,12 +54,8 @@
 import org.opensearch.common.logging.DeprecationLogger;
 import org.opensearch.common.network.NetworkModule;
 import org.opensearch.common.network.NetworkService;
-import org.opensearch.common.settings.ClusterSettings;
-import org.opensearch.common.settings.IndexScopedSettings;
-import org.opensearch.common.settings.Setting;
+import org.opensearch.common.settings.*;
 import org.opensearch.common.settings.Setting.Property;
-import org.opensearch.common.settings.Settings;
-import org.opensearch.common.settings.SettingsFilter;
 import org.opensearch.common.util.BigArrays;
 import org.opensearch.common.util.PageCacheRecycler;
 import org.opensearch.common.util.concurrent.ThreadContext;
@@ -131,54 +89,62 @@
 import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.auditlog.AuditLog.Origin;
 import org.opensearch.security.auditlog.AuditLogSslExceptionHandler;
+import org.opensearch.security.auditlog.NullAuditLog;
+import org.opensearch.security.auditlog.impl.AuditLogImpl;
 import org.opensearch.security.auth.BackendRegistry;
 import org.opensearch.security.compliance.ComplianceIndexingOperationListener;
+import org.opensearch.security.compliance.ComplianceIndexingOperationListenerImpl;
+import org.opensearch.security.configuration.*;
+import org.opensearch.security.dlic.rest.api.SecurityRestApiActions;
 import org.opensearch.security.filter.SecurityFilter;
+import org.opensearch.security.filter.SecurityRestFilter;
+import org.opensearch.security.http.SecurityHttpServerTransport;
 import org.opensearch.security.http.SecurityNonSslHttpServerTransport;
 import org.opensearch.security.http.XFFResolver;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.privileges.PrivilegesInterceptor;
 import org.opensearch.security.resolver.IndexResolverReplacer;
-import org.opensearch.security.rest.DashboardsInfoAction;
-import org.opensearch.security.rest.SecurityHealthAction;
-import org.opensearch.security.rest.SecurityInfoAction;
-import org.opensearch.security.rest.TenantInfoAction;
+import org.opensearch.security.rest.*;
 import org.opensearch.security.securityconf.DynamicConfigFactory;
+import org.opensearch.security.setting.OpensearchDynamicSetting;
+import org.opensearch.security.setting.TransportPassiveAuthSetting;
+import org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin;
 import org.opensearch.security.ssl.SslExceptionHandler;
+import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
+import org.opensearch.security.ssl.rest.SecuritySSLCertsInfoAction;
+import org.opensearch.security.ssl.rest.SecuritySSLReloadCertsAction;
+import org.opensearch.security.ssl.transport.DefaultPrincipalExtractor;
 import org.opensearch.security.ssl.transport.SecuritySSLNettyTransport;
 import org.opensearch.security.ssl.util.SSLConfigConstants;
+import org.opensearch.security.support.*;
 import org.opensearch.security.transport.DefaultInterClusterRequestEvaluator;
 import org.opensearch.security.transport.InterClusterRequestEvaluator;
+import org.opensearch.security.transport.SecurityInterceptor;
 import org.opensearch.security.user.User;
 import org.opensearch.tasks.Task;
 import org.opensearch.threadpool.ThreadPool;
-import org.opensearch.transport.RemoteClusterService;
-import org.opensearch.transport.Transport;
+import org.opensearch.transport.*;
 import org.opensearch.transport.Transport.Connection;
-import org.opensearch.transport.TransportChannel;
-import org.opensearch.transport.TransportInterceptor;
-import org.opensearch.transport.TransportRequest;
-import org.opensearch.transport.TransportRequestHandler;
-import org.opensearch.transport.TransportRequestOptions;
-import org.opensearch.transport.TransportResponse;
-import org.opensearch.transport.TransportResponseHandler;
-import org.opensearch.transport.TransportService;
 import org.opensearch.watcher.ResourceWatcherService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import org.opensearch.security.configuration.AdminDNs;
-import org.opensearch.security.configuration.ClusterInfoHolder;
-import org.opensearch.security.configuration.CompatConfig;
-import org.opensearch.security.configuration.ConfigurationRepository;
-import org.opensearch.security.configuration.DlsFlsRequestValve;
-import org.opensearch.security.ssl.http.netty.ValidatingDispatcher;
-import org.opensearch.security.support.ConfigConstants;
-import org.opensearch.security.support.HeaderHelper;
-import org.opensearch.security.support.ModuleInfo;
-import org.opensearch.security.support.ReflectionHelper;
-import org.opensearch.security.support.WildcardMatcher;
-import org.opensearch.security.support.SecurityUtils;
-import org.opensearch.security.support.SecuritySettings;
-import com.google.common.collect.Lists;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.LinkOption;
+import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermission;
+import java.security.AccessController;
+import java.security.MessageDigest;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.util.*;
+import java.util.function.Function;
+import java.util.function.Predicate;
+import java.util.function.Supplier;
+import java.util.function.UnaryOperator;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 public final class OpenSearchSecurityPlugin extends OpenSearchSecuritySSLPlugin implements ClusterPlugin, MapperPlugin {
 
@@ -917,6 +883,7 @@ public List<Setting<?>> getSettings() {
             settings.add(Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_UNSAFE_DEMOCERTIFICATES, false, Property.NodeScope, Property.Filtered));
             settings.add(Setting.boolSetting(ConfigConstants.SECURITY_ALLOW_DEFAULT_INIT_SECURITYINDEX, false, Property.NodeScope, Property.Filtered));
             settings.add(Setting.boolSetting(ConfigConstants.SECURITY_BACKGROUND_INIT_IF_SECURITYINDEX_NOT_EXIST, true, Property.NodeScope, Property.Filtered));
+            settings.add(Setting.boolSetting(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false, Property.NodeScope, Property.Filtered));
             settings.add(Setting.groupSetting(ConfigConstants.SECURITY_AUTHCZ_REST_IMPERSONATION_USERS+".", Property.NodeScope)); //not filtered here
 
             settings.add(Setting.simpleString(ConfigConstants.SECURITY_ROLES_MAPPING_RESOLUTION, Property.NodeScope, Property.Filtered));

diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
@@ -30,20 +30,9 @@
 
 package org.opensearch.security.privileges;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.StringJoiner;
-import java.util.regex.Pattern;
-
 import com.google.common.collect.ImmutableSet;
-import org.slf4j.LoggerFactory;
-import org.slf4j.Logger;
+import com.google.common.collect.Sets;
+import org.greenrobot.eventbus.Subscribe;
 import org.opensearch.OpenSearchSecurityException;
 import org.opensearch.action.ActionRequest;
 import org.opensearch.action.IndicesRequest;
@@ -85,23 +74,24 @@
 import org.opensearch.common.util.concurrent.ThreadContext;
 import org.opensearch.common.xcontent.NamedXContentRegistry;
 import org.opensearch.index.reindex.ReindexAction;
+import org.opensearch.security.auditlog.AuditLog;
 import org.opensearch.security.configuration.ClusterInfoHolder;
 import org.opensearch.security.configuration.ConfigurationRepository;
+import org.opensearch.security.resolver.IndexResolverReplacer;
+import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
 import org.opensearch.security.securityconf.ConfigModel;
 import org.opensearch.security.securityconf.DynamicConfigModel;
 import org.opensearch.security.securityconf.SecurityRoles;
-import org.opensearch.tasks.Task;
-import org.opensearch.threadpool.ThreadPool;
-import org.greenrobot.eventbus.Subscribe;
-
-import org.opensearch.security.auditlog.AuditLog;
-import org.opensearch.security.resolver.IndexResolverReplacer;
-import org.opensearch.security.resolver.IndexResolverReplacer.Resolved;
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
+import org.opensearch.tasks.Task;
+import org.opensearch.threadpool.ThreadPool;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import com.google.common.collect.Sets;
+import java.util.*;
+import java.util.regex.Pattern;
 
 import static org.opensearch.security.OpenSearchSecurityPlugin.traceAction;
 import static org.opensearch.security.support.ConfigConstants.OPENDISTRO_SECURITY_USER_INFO_THREAD_CONTEXT;
@@ -136,6 +126,7 @@ public class PrivilegesEvaluator {
     private final ProtectedIndexAccessEvaluator protectedIndexAccessEvaluator;
     private final TermsAggregationEvaluator termsAggregationEvaluator;
     private final boolean dlsFlsEnabled;
+    private final boolean dfmEmptyOverwritesAll;
     private DynamicConfigModel dcm;
     private final NamedXContentRegistry namedXContentRegistry;
 
@@ -164,6 +155,7 @@ public PrivilegesEvaluator(final ClusterService clusterService, final ThreadPool
         termsAggregationEvaluator = new TermsAggregationEvaluator();
         this.namedXContentRegistry = namedXContentRegistry;
         this.dlsFlsEnabled = dlsFlsEnabled;
+        this.dfmEmptyOverwritesAll = settings.getAsBoolean(ConfigConstants.SECURITY_DFM_EMPTY_OVERRIDES_ALL, false);
     }
 
     @Subscribe
@@ -292,7 +284,7 @@ public PrivilegesEvaluatorResponse evaluate(final User user, String action0, fin
             log.trace("dnfof enabled? {}", dnfofEnabled);
         }
 
-        presponse.evaluatedDlsFlsConfig = getSecurityRoles(mappedRoles).getDlsFls(user, resolver, clusterService, namedXContentRegistry);
+        presponse.evaluatedDlsFlsConfig = getSecurityRoles(mappedRoles).getDlsFls(user, dfmEmptyOverwritesAll, resolver, clusterService, namedXContentRegistry);
 
 
         if (isClusterPerm(action0)) {

diff --git a/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java b/src/main/java/org/opensearch/security/securityconf/ConfigModelV6.java
@@ -17,26 +17,9 @@
 
 package org.opensearch.security.securityconf;
 
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Objects;
-import java.util.Set;
-import java.util.concurrent.Callable;
-import java.util.concurrent.ExecutionException;
-import java.util.concurrent.ExecutorService;
-import java.util.concurrent.Executors;
-import java.util.concurrent.Future;
-import java.util.concurrent.TimeUnit;
-import java.util.stream.Collectors;
-
-import org.slf4j.LoggerFactory;
-import org.slf4j.Logger;
+import com.google.common.base.Joiner;
+import com.google.common.collect.*;
+import com.google.common.collect.MultimapBuilder.SetMultimapBuilder;
 import org.opensearch.ExceptionsHelper;
 import org.opensearch.action.support.IndicesOptions;
 import org.opensearch.cluster.metadata.IndexNameExpressionResolver;
@@ -55,13 +38,13 @@
 import org.opensearch.security.support.ConfigConstants;
 import org.opensearch.security.support.WildcardMatcher;
 import org.opensearch.security.user.User;
-import com.google.common.base.Joiner;
-import com.google.common.collect.ArrayListMultimap;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Iterables;
-import com.google.common.collect.ListMultimap;
-import com.google.common.collect.MultimapBuilder.SetMultimapBuilder;
-import com.google.common.collect.SetMultimap;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.*;
+import java.util.Map.Entry;
+import java.util.concurrent.*;
+import java.util.stream.Collectors;
 
 import static org.opensearch.cluster.metadata.IndexAbstraction.Type.ALIAS;
 
@@ -364,7 +347,7 @@ public SecurityRoles filter(Set<String> keep) {
 
 
         @Override
-        public EvaluatedDlsFlsConfig getDlsFls(User user, IndexNameExpressionResolver resolver, ClusterService cs,
+        public EvaluatedDlsFlsConfig getDlsFls(User user, boolean dfmEmptyOverwritesAll, IndexNameExpressionResolver resolver, ClusterService cs,
                 NamedXContentRegistry namedXContentRegistry) {
 
             final Map<String, Set<String>> dlsQueries = new HashMap<String, Set<String>>();