Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Check for and perform upgrades on security configurations #4102

Merged
merged 23 commits into from
Mar 20, 2024
Merged

[Feature] Check for and perform upgrades on security configurations #4102

merged 23 commits into from
Mar 20, 2024

Conversation

peternied
Copy link
Member

@peternied peternied commented Mar 8, 2024
edited
Loading

Description

This adds a new API that allows for checking and updating configurations from the default configurations on disk. Initial feature supports only Roles.

Response when no upgrade is available

GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : false
}

Response when a new role is available

GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : true,
  "upgradeActions" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ]
    }
  }
}

Response when a new role + existing role were updated

GET _plugins/_security/api/_upgrade_check
200 {
  "status": "ok",
  "upgradeAvailable" : true,
  "upgradeActions" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ],
      "modify" : [ "flow_framework_read_access" ]
    }
  }
}

Perform an upgrade

POST _plugins/_security/api/_upgrade_perform
200 {
  "status" : "OK",
  "upgrades" : {
    "roles" : {
      "add" : [ "flow_framework_full_access" ],
      "modify" : [ "flow_framework_read_access" ]
    }
  }
}

Perform an upgrade when unneeded

POST _plugins/_security/api/_upgrade_perform
400 {
   "status": "BAD_REQUEST",
   "message": "Unable to upgrade, no differences found in 'roles' config"
}

Issues Resolved

Testing

New unit test and integration test cases

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

peternied and others added 17 commits February 23, 2024 22:56
@peternied
Start making a reserved role handler
3ccf38b 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Starting to read the file from disk
7fb4bea 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Functional diff
745eeb7 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Functional upgrade check
c8db0ec 
Signed-off-by: Peter Nied <[email protected]>
@peternied
[Cherry-Pick] Configuration Type improvements from 'willyborankin/ini…
dd099be 
…t-index-on-managed-node'

Signed-off-by: Andrey Pleskach <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
@peternied
Cleaning up
20acbba 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Functional upgrade check
cafb776 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Remove unneed deep copies
d2843cf 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Upgrade with tests
5db53a9 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Spotless formatting
1c0f623 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Add more stuff
051ed7e 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Spotless
a064136 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Clean up integration test
f92c510 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Clean up changes around ValidationResult
30d6bfc 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Found out the configuration changes weren't actually pushed
3a1e1ff 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Make sure upgraded configs are commited
0a77c17 
Signed-off-by: Peter Nied <[email protected]>
@peternied
Tests
7bec1f6 
Signed-off-by: Peter Nied <[email protected]>
@peternied peternied changed the title Check for and perform upgrades on security configurations [Feature] Check for and perform upgrades on security configurations Mar 8, 2024
@peternied
Clean up tests
ddc04e5 
Signed-off-by: Peter Nied <[email protected]>
@peternied peternied mentioned this pull request Mar 8, 2024
Closed
4 tasks
@peternied
Spotless fix
c906ac1 
Signed-off-by: Peter Nied <[email protected]>
cwperks
cwperks reviewed Mar 14, 2024
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @peternied. This PR looks good to me. I left one minor comment on the integration test about strengthening the assertions post upgrade.

stephen-crawford
stephen-crawford previously approved these changes Mar 14, 2024
View reviewed changes
Copy link
Contributor

@stephen-crawford stephen-crawford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good. Just two minor comments

src/integrationTest/resources/roles.yml Show resolved Hide resolved
src/test/java/org/opensearch/security/dlic/rest/api/ConfigUpgradeApiActionUnitTest.java Show resolved Hide resolved
cwperks
cwperks previously approved these changes Mar 18, 2024
View reviewed changes
Copy link
Member

@cwperks cwperks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding an additional assertion. This looks good to me.

@peternied
Copy link
Member Author

@DarshitChanpura @cwperks @scrawfor99 I've resolved all comment threads, could you take another look?

@DarshitChanpura DarshitChanpura merged commit fa877ba into opensearch-project:main Mar 20, 2024
82 checks passed
@DarshitChanpura DarshitChanpura added backport 2.x backport to 2.x branch v2.13.0 Issues targeting release v2.13.0 backport 2.13 backport to 2.13 branch labels Mar 20, 2024
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.13 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.13 2.13
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.13
# Create a new branch
git switch --create backport/backport-4102-to-2.13
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 fa877babe3dac13c30bcc2bcbe4d484bcdb6101f
# Push it to GitHub
git push --set-upstream origin backport/backport-4102-to-2.13
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.13

Then, create a pull request where the base branch is 2.13 and the compare/head branch is backport/backport-4102-to-2.13.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/security/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/security/backport-2.x
# Create a new branch
git switch --create backport/backport-4102-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 fa877babe3dac13c30bcc2bcbe4d484bcdb6101f
# Push it to GitHub
git push --set-upstream origin backport/backport-4102-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/security/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-4102-to-2.x.

@willyborankin willyborankin mentioned this pull request Apr 15, 2024
Merged
@peternied peternied deleted the upgrade-roles branch April 15, 2024 18:02
@peternied peternied added v2.14.0 Issues and PRs related to version 2.14.0 and removed v2.13.0 Issues targeting release v2.13.0 backport 2.13 backport to 2.13 branch labels Apr 15, 2024
@peternied peternied mentioned this pull request May 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cwperks cwperks cwperks approved these changes

@stephen-crawford stephen-crawford stephen-crawford left review comments

@cliu123 cliu123 Awaiting requested review from cliu123

@davidlago davidlago Awaiting requested review from davidlago

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch v2.14.0 Issues and PRs related to version 2.14.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@peternied @cwperks @DarshitChanpura @stephen-crawford