Support security config updates on the REST API using permission #3264
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #3264 +/- ##
============================================
+ Coverage 64.56% 64.59% +0.03%
- Complexity 3545 3550 +5
============================================
Files 269 269
Lines 20363 20365 +2
Branches 3376 3377 +1
============================================
+ Hits 13147 13155 +8
+ Misses 5525 5522 -3
+ Partials 1691 1688 -3
|
willyborankin
force-pushed
the
config-update-permission
branch
3 times, most recently
from
b86635e to
55b2386
Compare
willyborankin
requested review from
cliu123,
cwperks,
DarshitChanpura,
davidlago,
peternied,
RyanL1997,
stephen-crawford and
reta
as code owners
peternied
reviewed
Sep 7, 2023
src/main/java/org/opensearch/security/OpenSearchSecurityPlugin.java
Outdated
Show resolved
Hide resolved
peternied
reviewed
Sep 7, 2023
src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
Outdated
Show resolved
Hide resolved
cwperks
reviewed
Sep 7, 2023
src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java
Outdated
Show resolved
Hide resolved
willyborankin
force-pushed
the
config-update-permission
branch
from
55b2386 to
ea39ed6
Compare
stephen-crawford
previously approved these changes
Sep 27, 2023
src/main/java/org/opensearch/security/dlic/rest/api/RestApiAdminPrivilegesEvaluator.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiAction.java
Outdated
Show resolved
Hide resolved
src/test/java/org/opensearch/security/dlic/rest/api/SecurityConfigApiActionTest.java
Show resolved
Hide resolved
src/test/java/org/opensearch/security/securityconf/SecurityRolesPermissionsTest.java
Show resolved
Hide resolved
Instead of SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION settings which we use to update security configuration a new permission was added: `restapi:admin/config/update`. Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin
force-pushed
the
config-update-permission
branch
from
ea39ed6 to
ef0a327
Compare
peternied
previously approved these changes
Oct 3, 2023
willyborankin
dismissed stale reviews from cwperks, peternied, and stephen-crawford
via
588814d
willyborankin
force-pushed
the
config-update-permission
branch
from
588814d to
18e7e9f
Compare
Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin
force-pushed
the
config-update-permission
branch
from
18e7e9f to
8281a1b
Compare
DarshitChanpura
approved these changes
Oct 4, 2023
cwperks
approved these changes
Oct 4, 2023
|
Hmmm BWC tests failed with an exception: Caused by: org.opensearch.index.engine.RecoveryEngineException: Phase[1] prepare target for translog failed
» at org.opensearch.indices.recovery.RecoverySourceHandler.lambda$prepareTargetForTranslog$22(RecoverySourceHandler.java:629) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.core.action.ActionListener$1.onFailure(ActionListener.java:90) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.core.action.ActionListener$4.onFailure(ActionListener.java:192) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.core.action.ActionListener$6.onFailure(ActionListener.java:311) ~[opensearch-core-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.action.support.RetryableAction$RetryingListener.onFinalFailure(RetryableAction.java:218) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.action.support.RetryableAction$RetryingListener.onFailure(RetryableAction.java:210) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.action.ActionListenerResponseHandler.handleException(ActionListenerResponseHandler.java:75) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.security.transport.SecurityInterceptor$RestoringTransportResponseHandler.handleException(SecurityInterceptor.java:402) ~[?:?]
» at org.opensearch.transport.TransportService$ContextRestoreResponseHandler.handleException(TransportService.java:1526) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.transport.InboundHandler.lambda$handleException$3(InboundHandler.java:421) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:849) ~[opensearch-3.0.0-SNAPSHOT.jar:3.0.0-SNAPSHOT]
» at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) ~[?:?]
» at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) ~[?:?]
» at java.lang.Thread.run(Thread.java:833) ~[?:?]So failures are note related. Something with CCR |
|
Created an issue #3456. |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-3264-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e4a1b77e9259c019a8ef4728495260468954d6af
# Push it to GitHub
git push --set-upstream origin backport/backport-3264-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.xThen, create a pull request where the |
|
Thanks for creating that issue @willyborankin - I've merged your change bypassing the BWC issues. I've got a PR that should merge shortly that will fix the issue in main. |
|
will prepare manual backport |
willyborankin
added a commit
to willyborankin/security
that referenced
this pull request
Oct 4, 2023
…nsearch-project#3264) Instead of setting `SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION` settings to update security configuration using `PATCH` or `PUT` a new permission was added: `restapi:admin/config/update`. So far I decided to keep this flag as it is due to a backward compatibility and log a deprecation message that these settings will be removed in the future. Maybe it is better to remove it completely. Besides, added the missed test for `SecurityConfigApiAction` Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit e4a1b77) Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin
added a commit
to willyborankin/security
that referenced
this pull request
Oct 4, 2023
…nsearch-project#3264) Instead of setting `SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION` settings to update security configuration using `PATCH` or `PUT` a new permission was added: `restapi:admin/config/update`. So far I decided to keep this flag as it is due to a backward compatibility and log a deprecation message that these settings will be removed in the future. Maybe it is better to remove it completely. Besides, added the missed test for `SecurityConfigApiAction` Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit e4a1b77) Signed-off-by: Andrey Pleskach <[email protected]>
willyborankin
added a commit
to willyborankin/security
that referenced
this pull request
Oct 4, 2023
…nsearch-project#3264) Instead of setting `SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATION` settings to update security configuration using `PATCH` or `PUT` a new permission was added: `restapi:admin/config/update`. So far I decided to keep this flag as it is due to a backward compatibility and log a deprecation message that these settings will be removed in the future. Maybe it is better to remove it completely. Besides, added the missed test for `SecurityConfigApiAction` Signed-off-by: Andrey Pleskach <[email protected]> (cherry picked from commit e4a1b77) Signed-off-by: Andrey Pleskach <[email protected]>
peternied
pushed a commit
that referenced
this pull request
Oct 5, 2023
…permission (#3264) (#3459) Backport e4a1b77 from #3264 Signed-off-by: Andrey Pleskach <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Instead of setting
SECURITY_UNSUPPORTED_RESTAPI_ALLOW_SECURITYCONFIG_MODIFICATIONsettings to update security configuration usingPATCHorPUTa new permission was added:restapi:admin/config/update.So far I decided to keep this flag as it is due to a backward compatibility and log a deprecation message that these settings will be removed in the future. Maybe it is better to remove it completely.
Besides, added the missed test for
SecurityConfigApiActionIssues Resolved
#2577
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.