-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce dfm_empty_overrides_all setting to enable role without dls/fls to override roles with dls/fls #1735
Introduce dfm_empty_overrides_all setting to enable role without dls/fls to override roles with dls/fls #1735
Conversation
1bde700
to
2030b14
Compare
Codecov Report
@@ Coverage Diff @@
## main #1735 +/- ##
============================================
+ Coverage 60.42% 60.48% +0.06%
- Complexity 3197 3201 +4
============================================
Files 253 253
Lines 18093 18116 +23
Branches 3245 3251 +6
============================================
+ Hits 10933 10958 +25
Misses 5579 5579
+ Partials 1581 1579 -2
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as usual: this is not meant as a thorough review, for that i'm not familiar enough with this code base (and security things should never be reviewed by people who aren't familiar with them, i.e. me 😄)
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java
Outdated
Show resolved
Hide resolved
|
||
@Test | ||
public void testDFMUnrestrictedUser() throws Exception { | ||
// admin user sees all, no dfm restrictions apply |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not move such descriptive comments up into a javadoc on the test method? then it's better visible that this is the description of the test method.
(same for the other tests below)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Java doc is actually barely used in this repo, especially in the tests. But this is a great idea!
src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java
Show resolved
Hide resolved
src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java
Show resolved
Hide resolved
2030b14
to
3f106b0
Compare
it seems that the newly pushed commit only changes the author (thanks!) but didn't address any of the other findings? |
0613072
to
1e1ddbd
Compare
…fls to override roles with dls/fls Signed-off-by: cliu123 <[email protected]>
1e1ddbd
to
ab668d6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for removing the import changes and comments around the tests, much more readable!
Very close now, a few callouts remain.
src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/dlic/dlsfls/DfmOverwritesAllTest.java
Show resolved
Hide resolved
560c2cd
to
9ed11a1
Compare
Co-authored-by: Ralph Ursprung <[email protected]> Signed-off-by: cliu123 <[email protected]>
3683270
to
efafa9d
Compare
Signed-off-by: cliu123 <[email protected]>
src/main/java/org/opensearch/security/securityconf/ConfigModelV7.java
Outdated
Show resolved
Hide resolved
Signed-off-by: cliu123 <[email protected]>
5d676e0
to
c4b65c1
Compare
@opensearch-project/security Could we get a second reviewer to take a look? |
…fls to override roles with dls/fls (opensearch-project#1735) * Introduce dfm_empty_overrides_all setting to enable role without dls/fls to override roles with dls/fls Signed-off-by: cliu123 <[email protected]> Co-authored-by: jochenkressin <[email protected]> Co-authored-by: Ralph Ursprung <[email protected]>
Signed-off-by: cliu123 [email protected]
Description
The default behavior of security plugin DLS and FLS follows the least privilege principle. When a user has more than 1 role, the role with the most restrictive permissions is honored.
With the new setting
dfm_empty_overrides_all
setting explicitly being set totrue
, security plugin enables role without dls/fls to override roles with dls/fls.The setting
dfm_empty_overrides_all
isfalse
by default.Issues Resolved
#1572
Testing
ITs
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.