Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Point in time security changes #2094

Merged
merged 4 commits into from
Oct 7, 2022

Conversation

bharath-techie
Copy link
Contributor

@bharath-techie bharath-techie commented Sep 19, 2022

Signed-off-by: Bharathwaj G [email protected]

Description

    • For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
    • If user has permission to all indices of PIT , then PIT is permitted to the user
    • Only when the user has permissions for all PITs in the request, then we allow the operation.
    • For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :

  • PIT IDs always contain the resolved indices ( underlying indices ) when saved.
  • Based on this,
    • For alias, user must have either 'index' or 'alias' permission for any PIT operation.
    • For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
    • With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Refer to :
#2087 (comment)

  • Category (Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation)
    New feature - Modification to point in time security model
  • Why these changes are required?
    We're making these changes to enhance the security model of PIT as per review comments from opensearch community
  • What is the old behavior before changes and new behavior after changes?

Issues Resolved

#2087

opensearch-project/OpenSearch#3959

Is this a backport? If so, please add backport PR # and/or commits #

Testing

[Please provide details of testing done: unit testing, integration testing and manual testing]

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much simplified version of these checks, great work! Other than the few comments, please add integration tests.

User user, SecurityRoles securityRoles, final String action,
IndexNameExpressionResolver resolver) {
final ImmutableSet<String> pitImmutableIndices = ImmutableSet.copyOf(pitIndices);
final IndexResolverReplacer.Resolved pitResolved =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this resolve with aliases or data streams?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question - don't think this logic handles other than local indices.

 final ResolvedIndicesProvider resolvedIndicesProvider = new ResolvedIndicesProvider(request);

        getOrReplaceAllIndices(request, resolvedIndicesProvider, false);

        return resolvedIndicesProvider.resolved(indicesOptionsFrom(request))

I think i have to use this logic instead. Let me try debugging and update this.

@bharath-techie
Copy link
Contributor Author

Much simplified version of these checks, great work! Other than the few comments, please add integration tests.

One problem with integration tests is that current framework doesn't let me pass body to 'delete
or 'get' REST requests. Any suggestions ?

I can validate only '_all' requests.

@peternied
Copy link
Member

For these scenarios that aren't included in the test framework, could you add overloads that cover these scenarios?

Signed-off-by: Bharathwaj G <[email protected]>
Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the update for the tests, There is still an open question about data streams/aliases. Could you add tests for these scenarios - this will confirm the behavior is as expected.

@bharath-techie
Copy link
Contributor Author

Thanks for the update for the tests, There is still an open question about data streams/aliases. Could you add tests for these scenarios - this will confirm the behavior is as expected.

I've addressed the question about data stream / aliases. And also have added the tests validating the same.

@peternied
Copy link
Member

@bharath-techie It looks like there are build issues impacting the CI. I'm happy to approve once we see those tests are passing

@bharath-techie
Copy link
Contributor Author

@peternied
Thanks for the review, builds will pass post the 2.4 backport of opensearch PRs. I'll update this PR post that.

@peternied peternied added the v2.4.0 'Issues and PRs related to version v2.4.0' label Sep 27, 2022
@codecov-commenter
Copy link

codecov-commenter commented Oct 6, 2022

Codecov Report

Merging #2094 (1d4365d) into main (ca4917c) will increase coverage by 0.06%.
The diff coverage is 97.22%.

@@             Coverage Diff              @@
##               main    #2094      +/-   ##
============================================
+ Coverage     61.01%   61.08%   +0.06%     
- Complexity     3229     3241      +12     
============================================
  Files           256      257       +1     
  Lines         18101    18135      +34     
  Branches       3229     3235       +6     
============================================
+ Hits          11044    11077      +33     
  Misses         5475     5475              
- Partials       1582     1583       +1     
Impacted Files Coverage Δ
...ch/security/privileges/PitPrivilegesEvaluator.java 96.42% <96.42%> (ø)
.../opensearch/security/OpenSearchSecurityPlugin.java 79.95% <100.00%> (+0.08%) ⬆️
...earch/security/privileges/PrivilegesEvaluator.java 72.38% <100.00%> (+0.35%) ⬆️
...earch/security/resolver/IndexResolverReplacer.java 65.34% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@bharath-techie
Copy link
Contributor Author

Hi @peternied,
Build is green finally, please review the changes.

Copy link
Member

@peternied peternied left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bharath-techie Excellent work! LGTM

Copy link
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks @bharath-techie !

@DarshitChanpura DarshitChanpura merged commit 207cfcc into opensearch-project:main Oct 7, 2022
@peternied peternied added backport 2.x backport to 2.x branch backport 2.4 labels Nov 2, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 2, 2022
Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>

Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 2, 2022
Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>

Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)
@peternied peternied mentioned this pull request Nov 2, 2022
23 tasks
peternied pushed a commit that referenced this pull request Nov 3, 2022
Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>
Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)
peternied pushed a commit that referenced this pull request Nov 3, 2022
Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>
Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)

Co-authored-by: Bharathwaj G <[email protected]>
stephen-crawford pushed a commit to stephen-crawford/security that referenced this pull request Nov 10, 2022
Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>

Signed-off-by: Bharathwaj G <[email protected]>
Signed-off-by: Stephen Crawford <[email protected]>
wuychn pushed a commit to ochprince/security that referenced this pull request Mar 16, 2023
…project#2224)

Description
For 'Delete PIT' and 'PIT segments' API, when PIT IDs are passed as part of request, this custom evaluator decode the PITs to indices and resolve the indices with user permissions.
If user has permission to all indices of PIT, then PIT is permitted to the user.
Only when the user has permissions for all PITs in the request, then we allow the operation.
For requests which operates on 'all' PITs, we skip the custom evaluator and evaluate via standard code

Alias and data stream behavior :
PIT IDs always contain the resolved indices ( underlying indices ) when saved.
Based on this,
For alias, user must have either 'index' or 'alias' permission for any PIT operation.
For data stream, user must have both 'data stream' AND 'backing indices of data stream' permission ( eg : data-stream-11 + .ds-my-data-stream11-000001 ) for any PIT operation.
With just data stream permission, user will be able to create pit but will not be able to use the PIT ID for other operations such as search without backing indices permission.

Signed-off-by: Bharathwaj G <[email protected]>
Signed-off-by: Bharathwaj G <[email protected]>
(cherry picked from commit 207cfcc)

Co-authored-by: Bharathwaj G <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x backport to 2.x branch backport 2.4 v2.4.0 'Issues and PRs related to version v2.4.0'
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants