Skip to content

Commit

Permalink
Revert "refactor: remove dashboard admin implementation (opensearch-p…
Browse files Browse the repository at this point in the history
…roject#159)"

This reverts commit 47e10e4.
  • Loading branch information
SuZhou-Joe committed Mar 14, 2024
1 parent 9c0dcd2 commit bb3d90b
Show file tree
Hide file tree
Showing 3 changed files with 50 additions and 1 deletion.
4 changes: 4 additions & 0 deletions config/opensearch_dashboards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -283,3 +283,7 @@

# Set the value to true to enable workspace feature
# workspace.enabled: false

# Set the backend roles, whoever has the backend roles defined in this config will be regard as dashboard admin.
# Dashboard admin will have the access to all the workspaces and objects inside OpenSearch Dashboards.
# workspace.dashboardAdmin.backendRoles: ["dashboard_admin"]
12 changes: 12 additions & 0 deletions src/plugins/workspace/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,18 @@ export const configSchema = schema.object({
permission: schema.object({
enabled: schema.boolean({ defaultValue: true }),
}),
dashboardAdmin: schema.object(
{
backendRoles: schema.arrayOf(schema.string(), {
defaultValue: ['dashboard_admin'],
}),
},
{
defaultValue: {
backendRoles: ['dashboard_admin'],
},
}
),
});

export type ConfigSchema = TypeOf<typeof configSchema>;
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@

import { i18n } from '@osd/i18n';
import { intersection } from 'lodash';
import { Observable } from 'rxjs';
import { first } from 'rxjs/operators';

import {
OpenSearchDashboardsRequest,
Expand Down Expand Up @@ -34,6 +36,7 @@ import {
import { SavedObjectsPermissionControlContract } from '../permission_control/client';
import { getPrincipalsFromRequest } from '../utils';
import { WORKSPACE_SAVED_OBJECTS_CLIENT_WRAPPER_ID } from '../../common/constants';
import { ConfigSchema } from '../../config';

// Can't throw unauthorized for now, the page will be refreshed if unauthorized
const generateWorkspacePermissionError = () =>
Expand All @@ -56,6 +59,7 @@ const generateSavedObjectsPermissionError = () =>

export class WorkspaceSavedObjectsClientWrapper {
private getScopedClient?: SavedObjectsServiceStart['getScopedClient'];
private config?: ConfigSchema;
private formatWorkspacePermissionModeToStringArray(
permission: WorkspacePermissionMode | WorkspacePermissionMode[]
): string[] {
Expand Down Expand Up @@ -128,6 +132,14 @@ export class WorkspaceSavedObjectsClientWrapper {
return false;
};

private isDashboardAdmin(request: OpenSearchDashboardsRequest): boolean {
const config = this.config || ({} as ConfigSchema);
const principals = getPrincipalsFromRequest(request);
const adminBackendRoles = config?.dashboardAdmin?.backendRoles || [];
const matchAny = principals?.groups?.some((item) => adminBackendRoles.includes(item)) || false;
return matchAny;
}

/**
* check if the type include workspace
* Workspace permission check is totally different from object permission check.
Expand Down Expand Up @@ -528,6 +540,12 @@ export class WorkspaceSavedObjectsClientWrapper {
return await wrapperOptions.client.deleteByWorkspace(workspace, options);
};

const isDashboardAdmin = this.isDashboardAdmin(wrapperOptions.request);

if (isDashboardAdmin) {
return wrapperOptions.client;
}

return {
...wrapperOptions.client,
get: getWithWorkspacePermissionControl,
Expand All @@ -547,5 +565,20 @@ export class WorkspaceSavedObjectsClientWrapper {
};
};

constructor(private readonly permissionControl: SavedObjectsPermissionControlContract) {}
constructor(
private readonly permissionControl: SavedObjectsPermissionControlContract,
private readonly options: {
config$: Observable<ConfigSchema>;
}
) {
this.options.config$.subscribe((config) => {
this.config = config;
});
this.options.config$
.pipe(first())
.toPromise()
.then((config) => {
this.config = config;
});
}
}

0 comments on commit bb3d90b

Please sign in to comment.