Skip to content

Commit

Permalink
Merge branch '2.x' into backport/backport-5092-to-2.x
Browse files Browse the repository at this point in the history
Signed-off-by: Anan Zhuang <[email protected]>
  • Loading branch information
ananzh authored Dec 13, 2023
2 parents 9f656ae + b14f5e8 commit 2ed434a
Show file tree
Hide file tree
Showing 268 changed files with 2,742 additions and 16,045 deletions.
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @ananzh @kavilla @seanneumann @AMoo-Miki @ashwin-pc @joshuarrrr @abbyhu2000 @zengyan-amazon @kristenTian @zhongnansu @manasvinibs @ZilongX @Flyingliuhub @BSFishy
* @ananzh @kavilla @seanneumann @AMoo-Miki @ashwin-pc @joshuarrrr @abbyhu2000 @zengyan-amazon @kristenTian @zhongnansu @manasvinibs @ZilongX @Flyingliuhub @BSFishy @curq @bandinib-amzn @SuZhou-Joe
14 changes: 12 additions & 2 deletions .github/workflows/build_and_test_workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ jobs:
- name: Build plugins
run: node scripts/build_opensearch_dashboards_platform_plugins --no-examples --workers 10 --scan-dir "./test/plugin_functional/plugins"

- name: Run functional plugin tests
- name: Run functional plugin tests
id: plugin-ftr-tests
run: node scripts/functional_tests.js --config test/plugin_functional/config.ts

Expand All @@ -308,6 +308,16 @@ jobs:
ext: tar.gz
suffix: linux-arm64
script: build-platform --linux-arm --skip-os-packages
- os: macos-latest
name: macOS x64
ext: tar.gz
suffix: darwin-x64
script: build-platform --darwin --skip-os-packages
- os: macos-latest
name: macOS ARM64
ext: tar.gz
suffix: darwin-arm64
script: build-platform --darwin-arm --skip-os-packages
- os: windows-latest
name: Windows x64
ext: zip
Expand Down Expand Up @@ -433,7 +443,7 @@ jobs:
id: verify-opensearch-exists
run: |
if curl -I -L ${{ env.OPENSEARCH_URL }}; then
echo "::set-output name=version-exists::true"
echo "name=version-exists::true" >> $GITHUB_OUTPUT
fi
- name: Skipping tests
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/cypress_workflow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ jobs:
- name: Get Cypress version
id: cypress_version
run: |
echo "::set-output name=cypress_version::$(cat ./${{ env.FTR_PATH }}/package.json | jq '.devDependencies.cypress' | tr -d '"')"
echo "name=cypress_version::$(cat ./${{ env.FTR_PATH }}/package.json | jq '.devDependencies.cypress' | tr -d '"')" >> $GITHUB_OUTPUT
- name: Cache Cypress
id: cache-cypress
Expand Down
133 changes: 108 additions & 25 deletions CHANGELOG.md

Large diffs are not rendered by default.

21 changes: 20 additions & 1 deletion DEVELOPER_GUIDE.md
Original file line number Diff line number Diff line change
Expand Up @@ -244,12 +244,19 @@ Options:
-E Additional key=value settings to pass to OpenSearch
--download-only Download the snapshot but don't actually start it
--ssl Sets up SSL on OpenSearch
--security Installs and sets up OpenSearch Security plugin on the cluster
--P OpenSearch plugin artifact URL to install it on the cluster.

```bash
$ yarn opensearch snapshot --version 2.2.0 -E cluster.name=test -E path.data=/tmp/opensearch-data --P org.opensearch.plugin:test-plugin:2.2.0.0 --P file:/home/user/opensearch-test-plugin-2.2.0.0.zip
$ yarn opensearch snapshot --version 2.2.0 -E cluster.name=test -E path.data=/tmp/opensearch-data --P org.opensearch.plugin:test-plugin:2.2.0.0 --P file:/home/user/opensearch-test-plugin-2.2.0.0.zip --security
```

#### Read Only capabilities

_This feature will only work if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled._

Please follow the design described in [the docs](https://github.com/opensearch-project/OpenSearch/blob/main/docs/capabilities/read_only_mode.md#design)

### Alternative - Run OpenSearch from tarball

If you would like to run OpenSearch from the tarball, you'll need to download the minimal distribution, install it, and then run the executable. (You'll also need Java installed and the `JAVA_HOME` environmental variable set - see [OpenSearch developer guide](https://github.com/opensearch-project/OpenSearch/blob/main/DEVELOPER_GUIDE.md#install-prerequisites) for details).
Expand All @@ -267,6 +274,18 @@ This method can also be used to develop against the [full distribution of OpenSe

_This step is only mandatory if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled._

> 1. Run `export initialAdminPassword=<initial admin password>` since it's needed by the configuration script
> 2. Run `yarn opensearch snapshot --security`
> 3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up.
Then within another window. You can start:

> 1. Run `export OPENSEARCH_USERNAME=admin`
> 2. Run `export OPENSEARCH_PASSWORD=<initial admin password>`
> 3. Optional: Run `export OPENSEARCH_SECURITY_READONLY_ROLE=<read only role>`
> 4. Run `yarn start:security`
> 5. Navigate to OpenSearch Dashboards and login with the above username and password.
Once the bootstrap of OpenSearch Dashboards is finished, you need to apply some
changes to the default [`opensearch_dashboards.yml`](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml#L25-L72) in order to connect to OpenSearch.

Expand Down
3 changes: 3 additions & 0 deletions MAINTAINERS.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ This document contains a list of maintainers in this repo. See [opensearch-proje
| Tao Liu | [Flyingliuhub](https://github.com/Flyingliuhub) | Amazon |
| Zilong Xia | [ZilongX](https://github.com/ZilongX) | Amazon |
| Matt Provost | [BSFishy](https://github.com/BSFishy) | Amazon |
| Sirazh Gabdullin | [curq](https://github.com/curq) | External contributor |
| Bandini Bhopi | [bandinib-amzn](https://github.com/bandinib-amzn) | Amazon |
| Su Zhou | [SuZhou-Joe](https://github.com/SuZhou-Joe) | Amazon |

## Emeritus

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ We aim to be an exceptional community-driven platform and to foster open partici

You can [contribute to this project](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/CONTRIBUTING.md) by [opening issues](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/new/choose) to give feedback, share ideas, identify bugs, and contribute code.

Set up your [OpenSearch Dashboards development environment](ttps://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/DEVELOPER_GUIDE.md#getting-started-guide) today! The project team looks forward to your contributions.
Set up your [OpenSearch Dashboards development environment](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/DEVELOPER_GUIDE.md#getting-started-guide) today! The project team looks forward to your contributions.

## Code Summary

Expand Down
80 changes: 80 additions & 0 deletions docs/capabilities/read_only_mode.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Read-only Mode

There are two distinct functionalities for "read-only" access in Dashboards. One of them is associated with roles and one is associated with tenants. Regarding the first one, the Dashboards Security plugin contains a feature of hiding all plugin navigation links except Dashboards and Visualizations when the logged-in user has a certain role (more about it in [Read-only Role](#read-only-role)).

The second one is limiting Dashboards access rights via assigning a specific role to a tenant (therefore, making a tenant read-only). Due to past issues and the deprecation of the first functionality, using read-only tenants is now the recommended way to limit users' access to Dashboards.

## Design

Whenever a plugin registers capabilities that should be limited (in other words, set to false) for read-only tenants, such capabilities should be registered through `registerSwitcher` with using method `core.security.readonlyService().hideForReadonly()`

### Example

```ts
public setup(core: CoreSetup) {
core.capabilities.registerProvider({
myAwesomePlugin: {
show: true,
save: true,
delete: true,
}
});

core.capabilities.registerSwitcher(async (request, capabilites) => {
return await core.security.readonlyService().hideForReadonly(request, capabilites, {
myAwesomePlugin: {
save: false,
delete: false,
},
});
});
}
```

In this case, we might assume that a plugin relies on the `save` and `delete` capabilities to limit changes somewhere in the UI. Therefore, those capabilities are processed through `registerSwitcher`, they will be set to `false` whenever a read-only tenant is accessed.

If `registerSwitcher` will try to provide or remove capabilites when invoking the switcher will be ignored.

*In case of a disabled / not installed `security` plugin changes will be never applied to a capabilites.*

## Requirements

This feature will only work if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled.

## Read-only Role

The role is called `kibana_read_only` by default, but the name can be changed using the dashboard config option `opensearch_security.readonly_mode.roles`. One big issue with this feature is that the backend site of a Dashboard Security plugin is completely unaware of it. Thus, users in this mode still have write access to the Dashboards saved objects via the API as the implementation effectively hides everything except the Dashboards and Visualization plugins.

**We highly do not recommend using it!**

For more context, see [this group issues of problems connected with read-only roles](https://github.com/opensearch-project/security/issues/2701).

### Usage

1. Go to `Management > Security > Internal users`
2. Create or select an already existing user
3. Add a new `Backend role` called `kibana_read_only` (or use name used in `opensearch_security.readonly_mode.roles`)
4. Save changes

## Read-only Tenant (recommended)

Dashboards Security plugin recognizes the selection of read-only tenant after logging in and sets the capabilities associated with write access or showing write controls to false for a variety of plugins. This can be easily checked for example by trying to re-arrange some visualizations on Dashboards. Such action will be resulting in a 403 error due to limited read-only access.

### Usage

1. Prepare tenant:
* Use an existing tenant or create a new one in `Management > Security > Tenants`
2. Prepare role:
* Go to `Management > Security > Roles`
* Use an existing role or create a new one
* Fill **index permissions** with:
* `indices:data/read/search`
* `indices:data/read/get`
* Add new **tenant permission** with:
* your name of the tenant
* read only
3. Assign a role to a user:
* Go to role
* Click the tab `Mapped users`
* Click `Manage mapping`
* In `Users` select the user that will be affected
12 changes: 7 additions & 5 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@
"build": "scripts/use_node scripts/build --all-platforms",
"start": "scripts/use_node scripts/opensearch_dashboards --dev",
"start:docker": "scripts/use_node scripts/opensearch_dashboards --dev --opensearch.hosts=$OPENSEARCH_HOSTS --opensearch.ignoreVersionMismatch=true --server.host=$SERVER_HOST",
"start:security": "scripts/use_node scripts/opensearch_dashboards --dev --security",
"debug": "scripts/use_node --nolazy --inspect scripts/opensearch_dashboards --dev",
"debug-break": "scripts/use_node --nolazy --inspect-brk scripts/opensearch_dashboards --dev",
"lint": "yarn run lint:es && yarn run lint:style",
Expand Down Expand Up @@ -105,7 +106,8 @@
"**/set-value": "^4.1.0",
"**/xml2js": "^0.5.0",
"**/yaml": "^2.2.2",
"**/eslint-plugin-mocha-next/mocha": "npm:mocha@^10.1.0"
"**/eslint-plugin-mocha-next/mocha": "npm:mocha@^10.1.0",
"**/@babel/traverse": "^7.23.2"
},
"workspaces": {
"packages": [
Expand Down Expand Up @@ -229,10 +231,10 @@
"yauzl": "^2.10.0"
},
"devDependencies": {
"@babel/core": "^7.16.5",
"@babel/parser": "^7.16.6",
"@babel/register": "^7.16.5",
"@babel/types": "^7.16.0",
"@babel/core": "^7.22.9",
"@babel/parser": "^7.22.9",
"@babel/register": "^7.22.9",
"@babel/types": "^7.22.9",
"@elastic/apm-rum": "^5.6.1",
"@elastic/charts": "31.1.0",
"@elastic/ems-client": "7.10.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/osd-analytics/babel.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@

// We can't use common OpenSearch Dashboards presets here because of babel versions incompatibility
module.exports = {
plugins: ['@babel/plugin-proposal-class-properties'],
plugins: ['@babel/plugin-transform-class-properties'],
env: {
web: {
presets: ['@osd/babel-preset/webpack_preset'],
Expand Down
2 changes: 1 addition & 1 deletion packages/osd-analytics/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
"osd:watch": "../../scripts/use_node scripts/build --source-maps --watch"
},
"devDependencies": {
"@babel/cli": "^7.16.0",
"@babel/cli": "^7.22.9",
"@osd/dev-utils": "1.0.0",
"@osd/babel-preset": "1.0.0",
"typescript": "4.0.2"
Expand Down
19 changes: 6 additions & 13 deletions packages/osd-babel-preset/common_preset.js
Original file line number Diff line number Diff line change
Expand Up @@ -29,30 +29,23 @@
*/

const plugins = [
'@babel/plugin-transform-class-properties',
'@babel/plugin-transform-private-methods',
require.resolve('babel-plugin-add-module-exports'),

// The class properties proposal was merged with the private fields proposal
// into the "class fields" proposal which is stage 3.
// See https://github.com/babel/proposals/issues/12 for progress
require.resolve('@babel/plugin-proposal-class-properties'),

// Optional Chaining proposal is stage 4 (https://github.com/tc39/proposal-optional-chaining)
// Need this since we are using TypeScript 3.7+
require.resolve('@babel/plugin-proposal-optional-chaining'),
require.resolve('@babel/plugin-transform-optional-chaining'),
// Nullish coalescing proposal is stage 4 (https://github.com/tc39/proposal-nullish-coalescing)
// Need this since we are using TypeScript 3.7+
require.resolve('@babel/plugin-proposal-nullish-coalescing-operator'),
require.resolve('@babel/plugin-transform-nullish-coalescing-operator'),

// Proposal is merged into ECMA-262 (https://github.com/tc39/proposal-export-ns-from)
// Need this since we are using TypeScript 3.8+
require.resolve('@babel/plugin-proposal-export-namespace-from'),

// Proposal is merged into ECMA-262 (https://github.com/tc39/proposal-export-ns-from)
// Need this since we are using TypeScript 3.9+
require.resolve('@babel/plugin-proposal-private-methods'),
require.resolve('@babel/plugin-transform-export-namespace-from'),

// Proposal is on stage 4 (https://github.com/tc39/proposal-logical-assignment)
require.resolve('@babel/plugin-proposal-logical-assignment-operators'),
require.resolve('@babel/plugin-transform-logical-assignment-operators'),
];

module.exports = {
Expand Down
16 changes: 7 additions & 9 deletions packages/osd-babel-preset/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,13 @@
"devOnly": true
},
"dependencies": {
"@babel/plugin-proposal-class-properties": "^7.16.5",
"@babel/plugin-proposal-export-namespace-from": "^7.16.5",
"@babel/plugin-proposal-logical-assignment-operators": "^7.16.5",
"@babel/plugin-proposal-nullish-coalescing-operator": "^7.16.5",
"@babel/plugin-proposal-optional-chaining": "^7.16.5",
"@babel/plugin-proposal-private-methods": "^7.16.5",
"@babel/preset-env": "^7.16.5",
"@babel/preset-react": "^7.16.5",
"@babel/preset-typescript": "^7.16.5",
"@babel/plugin-transform-export-namespace-from": "^7.22.9",
"@babel/plugin-transform-logical-assignment-operators": "^7.22.9",
"@babel/plugin-transform-nullish-coalescing-operator": "^7.22.9",
"@babel/plugin-transform-optional-chaining": "^7.22.9",
"@babel/preset-env": "^7.22.9",
"@babel/preset-react": "^7.22.9",
"@babel/preset-typescript": "^7.22.9",
"babel-plugin-add-module-exports": "^1.0.4",
"babel-plugin-styled-components": "^2.0.2",
"babel-plugin-transform-react-remove-prop-types": "^0.4.24",
Expand Down
2 changes: 1 addition & 1 deletion packages/osd-dev-utils/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"devOnly": true
},
"dependencies": {
"@babel/core": "^7.16.5",
"@babel/core": "^7.22.9",
"@osd/utils": "1.0.0",
"axios": "^0.27.2",
"chalk": "^4.1.0",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"dependencies": {
"debug": "^2.6.9",
"eslint-import-resolver-node": "0.3.2",
"eslint-import-resolver-webpack": "0.11.1",
"eslint-import-resolver-webpack": "0.13.8",
"glob-all": "^3.2.1",
"lru-cache": "^4.1.5",
"resolve": "^1.7.1",
Expand Down
4 changes: 2 additions & 2 deletions packages/osd-i18n/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@
"license": "Apache-2.0",
"private": true,
"devDependencies": {
"@babel/cli": "^7.16.0",
"@babel/core": "^7.16.5",
"@babel/cli": "^7.22.9",
"@babel/core": "^7.22.9",
"@osd/babel-preset": "1.0.0",
"@osd/dev-utils": "1.0.0",
"@types/intl-relativeformat": "^2.1.0",
Expand Down
10 changes: 5 additions & 5 deletions packages/osd-interpreter/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,16 @@
"osd:watch": "../../scripts/use_node scripts/build --dev --watch"
},
"dependencies": {
"@babel/runtime": "^7.16.5",
"@babel/runtime": "^7.22.9",
"@osd/i18n": "1.0.0",
"lodash": "^4.17.21",
"uuid": "3.3.2"
},
"devDependencies": {
"@babel/cli": "^7.16.0",
"@babel/core": "^7.16.5",
"@babel/plugin-transform-modules-commonjs": "^7.16.5",
"@babel/plugin-transform-runtime": "^7.16.5",
"@babel/cli": "^7.22.9",
"@babel/core": "^7.22.9",
"@babel/plugin-transform-modules-commonjs": "^7.22.9",
"@babel/plugin-transform-runtime": "^7.22.9",
"@osd/babel-preset": "1.0.0",
"@osd/dev-utils": "1.0.0",
"babel-loader": "^8.2.3",
Expand Down
2 changes: 1 addition & 1 deletion packages/osd-opensearch/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
},
"devDependencies": {
"@osd/babel-preset": "1.0.0",
"@babel/cli": "^7.16.0",
"@babel/cli": "^7.22.9",
"del": "^6.1.1"
}
}
7 changes: 7 additions & 0 deletions packages/osd-opensearch/src/cli_commands/snapshot.js
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ exports.help = (defaults = {}) => {
-E Additional key=value settings to pass to OpenSearch
--download-only Download the snapshot but don't actually start it
--ssl Sets up SSL on OpenSearch
--security Installs and sets up the OpenSearch Security plugin on the cluster
--P OpenSearch plugin artifact URL to install it on the cluster. We can use the flag multiple times
to install multiple plugins on the cluster snapshot. The argument value can be url to zip file, maven coordinates of the plugin
or for local zip files, use file:<followed by the absolute or relative path to the plugin zip file>.
Expand All @@ -74,6 +75,8 @@ exports.run = async (defaults = {}) => {

boolean: ['download-only'],

boolean: ['security'],

default: defaults,
});

Expand All @@ -91,6 +94,10 @@ exports.run = async (defaults = {}) => {
await cluster.installOpenSearchPlugins(installPath, options.opensearchPlugins);
}

if (options.security) {
await cluster.setupSecurity(installPath, options.version ?? defaults.version);
}

options.bundledJDK = true;

await cluster.run(installPath, options);
Expand Down
Loading

0 comments on commit 2ed434a

Please sign in to comment.