-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix data-stream name resolution for wild-cards #1716
Conversation
Codecov Report
@@ Coverage Diff @@
## 1.3 #1716 +/- ##
============================================
- Coverage 64.62% 64.62% -0.01%
- Complexity 3216 3219 +3
============================================
Files 247 247
Lines 17351 17363 +12
Branches 3082 3086 +4
============================================
+ Hits 11213 11220 +7
- Misses 4591 4594 +3
- Partials 1547 1549 +2
Continue to review full report at Codecov.
|
Signed-off-by: Sandesh Kumar <[email protected]>
src/main/java/org/opensearch/security/resolver/IndexResolverReplacer.java
Show resolved
Hide resolved
LGTM! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a questions which is not specific to this change, just wondering if this use case is supported:
one data stream is backed by a list of indices, e.g. data stream my-data-stream
is backed by indices .ds_my-data-steram_1
to .ds_my-data-steram_{n}
and one user has permission to access data stream my-data-stream
, can the user query using the concrete index name .ds_my-data-steram_1
, e.g. POST /.ds_my-data-steram_1/_search
will it be allowed or denied?
They will be denied. |
This reverts commit 2a05ce4.
This was our mistake this change should not be released with 1.3.1, I've reverted it and this can be reopened against main |
Hi @sandeshkr419, we had to revert your commit because 1.3.1 release is being built on 1.3 branch today. |
Thanks @peternied & @cliu123 Raised the PR against main branch: Please review & merge the above PR and help me backport them to older branches as well. |
@zengyan-amazon To clarify the doubts about permissions regarding backing indices of data stream - I have added relevant test cases as well in the new PR - #1723 |
Signed-off-by: Sandesh Kumar [email protected]
Description
[Describe what this change achieves]
Category: Bug fix
Security plugin is not able to invalidate non-permitted data-stream (get/delete/stats) requests sent using wild-card expressions.
This is because the list of 'allIndices' in 'ResolvedIndicesProvider' class does not has the resolved names of data streams. If the 'allIndices' variable when resolved, is empty -> leads the authorization to succeed as there are no eligible index patterns to block the request.
In this change, we add the the names of resolved data streams to 'allIndices' so data stream names also can get resolved.
What is the old behavior before changes and new behavior after changes?
Suppose the indices are as follows in a OS cluster.
Assume the user
sandesh1
to have the following data-streams related permissions:The ideal (expected) behavior is that user
sandesh
should not be able to access data-streams other than logs-nginx1 & logs-nginx11.Old Behaviour:
New Behaviour:
Issues Resolved
#1498
Is this a backport? If so, please add backport PR # and/or commits #
Testing
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.