Skip to content

Commit

Permalink
Revert "backport cluster evaluation permissions #1885 to opendistro-1…
Browse files Browse the repository at this point in the history
….11 (#1986)"

This reverts commit ec80578.

Signed-off-by: Rutuja Surve <[email protected]>
  • Loading branch information
rutuja-amazon committed Aug 10, 2022
1 parent ec80578 commit 25e6a70
Show file tree
Hide file tree
Showing 7 changed files with 3 additions and 258 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -585,7 +585,6 @@ private Set<String> evaluateAdditionalIndexPermissions(final ActionRequest reque
private static boolean isClusterPerm(String action0) {
return ( action0.startsWith("cluster:")
|| action0.startsWith("indices:admin/template/")
|| action0.startsWith("indices:admin/index_template/")

|| action0.startsWith(SearchScrollAction.NAME)
|| (action0.equals(BulkAction.NAME))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
import java.util.regex.PatternSyntaxException;
import java.util.stream.Collectors;

import org.apache.commons.collections.keyvalue.MultiKey;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionRequest;
Expand Down Expand Up @@ -758,4 +757,4 @@ else if (RestoreSnapshotRequest.class.isInstance(localRequest)) {
public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
respectRequestIndicesOptions = dcm.isRespectRequestIndicesEnabled();
}
}
}

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -37,16 +37,12 @@
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Scanner;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import javax.net.ssl.SSLContext;

import com.fasterxml.jackson.databind.JsonNode;
import org.apache.commons.io.IOUtils;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
Expand Down Expand Up @@ -75,11 +71,8 @@
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

import org.opensearch.security.DefaultObjectMapper;
import org.opensearch.security.test.helper.cluster.ClusterInfo;
import org.opensearch.security.test.helper.file.FileHelper;

import static org.junit.jupiter.api.Assertions.fail;
import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterInfo;
import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper;

public class RestHelper {

Expand Down Expand Up @@ -349,74 +342,6 @@ public String toString() {
+ ", statusReason=" + statusReason + "]";
}

private static void findArrayAccessor(String input) {
final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]");
final Matcher m = r.matcher(input);
if(m.find()) {
System.out.println("'" + input + "'\t Name was: " + m.group(1) + ",\t index position: " + m.group(2));
} else {
System.out.println("'" + input + "'\t No Match");
}
}

/**
* Given a json path with dots delimiated returns the object at the leaf
*/
public String findValueInJson(final String jsonDotPath) {
// Make sure its json / then parse it
if (!isJsonContentType()) {
fail("Response was expected to be JSON, body was: \n" + body);
}
JsonNode currentNode = null;
try {
currentNode = DefaultObjectMapper.readTree(body);
} catch (final Exception e) {
throw new RuntimeException(e);
}

// Break the path into parts, and scan into the json object
try (final Scanner jsonPathScanner = new Scanner(jsonDotPath).useDelimiter("\\.")) {
if (!jsonPathScanner.hasNext()) {
fail("Invalid json dot path '" + jsonDotPath + "', rewrite with '.' characters between path elements.");
}
do {
String pathEntry = jsonPathScanner.next();
// if pathEntry is an array lookup
int arrayEntryIdx = -1;

// Looks for an array-lookup pattern in the path
// e.g. root_cause[1] -> will match
// e.g. root_cause[2aasd] -> won't match
final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]");
final Matcher m = r.matcher(pathEntry);
if(m.find()) {
pathEntry = m.group(1);
arrayEntryIdx = Integer.parseInt(m.group(2));
}

if (!currentNode.has(pathEntry)) {
fail("Unable to resolve '" + jsonDotPath + "', on path entry '" + pathEntry + "' from available fields " + currentNode.toPrettyString());
}
currentNode = currentNode.get(pathEntry);

// if it's an Array lookup we get the requested index item
if (arrayEntryIdx > -1) {
if(!currentNode.isArray()) {
fail("Unable to resolve '" + jsonDotPath + "', the '" + pathEntry + "' field is not an array " + currentNode.toPrettyString());
} else if (!currentNode.has(arrayEntryIdx)) {
fail("Unable to resolve '" + jsonDotPath + "', index '" + arrayEntryIdx + "' is out of bounds for array '" + pathEntry + "' \n" + currentNode.toPrettyString());
}
currentNode = currentNode.get(arrayEntryIdx);
}
} while (jsonPathScanner.hasNext());

if (!currentNode.isValueNode()) {
fail("Unexpected value note, index directly to the object to reference, object\n" + currentNode.toPrettyString());
}
return currentNode.asText();
}
}

private static HttpResponse from(Future<HttpResponse> future) {
try {
return future.get();
Expand Down
7 changes: 0 additions & 7 deletions src/test/resources/internal_users.yml
Original file line number Diff line number Diff line change
Expand Up @@ -338,10 +338,3 @@ hidden_test:
hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
opendistro_security_roles:
- hidden_test
sem-user:
hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
#password is: nagilum
sem-user2:
hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
#password is: nagilum

71 changes: 0 additions & 71 deletions src/test/resources/roles.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1072,80 +1072,9 @@ xyz_sr_reserved:
hidden_test:
cluster_permissions:
- SGS_CLUSTER_COMPOSITE_OPS

index_template_perm:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: []
index_permissions:
- index_patterns:
- "*"
allowed_actions:
- "indices:admin/index_template/*"

data_stream_0:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: []
index_permissions:
- index_patterns:
- "*my-data-stream2*"
allowed_actions:
- "indices:admin/get"

data_stream_1:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: [ "indices:admin/index_template/put" ]
index_permissions:
- index_patterns:
- "my-data-stream*"
allowed_actions:
- "indices:admin/data_stream/get"
- "indices:admin/data_stream/create"

data_stream_2:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: []
index_permissions:
- index_patterns:
- hidden_test_not_hidden
allowed_actions:
- "DATASTREAM_ALL"

hidden_test:
cluster_permissions:
- SGS_CLUSTER_COMPOSITE_OPS
index_permissions:
- index_patterns:
- hidden_test_not_hidden
allowed_actions:
- "*"

sem-role:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: [ "cluster_monitor", "indices:admin/index_template/put" ]
index_permissions:
- index_patterns:
- "sem*"
allowed_actions:
- "*"

sem-role2:
reserved: true
hidden: false
description: "Migrated from v6 (all types mapped)"
cluster_permissions: [ "cluster_monitor" ]
index_permissions:
- index_patterns:
- "sem*"
allowed_actions:
- "indices:admin/index_template/put"

36 changes: 0 additions & 36 deletions src/test/resources/roles_mapping.yml
Original file line number Diff line number Diff line change
Expand Up @@ -388,39 +388,3 @@ xyz_sr_hidden:
bulk_test_user_role:
users:
- "bulk_test_user"
index_template_perm:
reserved: false
hidden: false
users:
- "ds1"
data_stream_0:
reserved: false
hidden: false
users:
- "ds0"
data_stream_1:
reserved: false
hidden: false
users:
- "ds1"
data_stream_2:
reserved: false
hidden: false
users:
- "ds2"
data_stream_3:
reserved: false
hidden: false
users:
- "ds3"
sem-role:
reserved: false
hidden: false
users:
- "sem-user"
sem-role2:
reserved: false
hidden: false
users:
- "sem-user2"

0 comments on commit 25e6a70

Please sign in to comment.