Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Workspace]Add permission control logic for workspace #6052

Conversation

wanglam
Copy link
Contributor

@wanglam wanglam commented Mar 6, 2024

Description

This PR is for adding permission control logic for workspace. It's includes below changes:

  1. Add savedObjects.permission to global config object
  2. Add permissions field in workspace create and update API
  3. Consume workspaces in repository get method
  4. Add ACLSearchParams and workspaceSearchOperator to repository find method
  5. Add permission control client and workspace saved object client wrapper

Issues Resolved

closes #6051

Screenshot

Testing the changes

Write unit tests and integration tests for workspace saved object client wrapper.

Test instructions

Since all these changes are in the server side. We need to call these APIs manual to verify if permission control work fine.
There are two types saved objects in permission control. The first one is saved object with workspaces property, another one is saved object with permissions property. In this test instruction, we will use workspace type saved object to verify permission control when has permissions property. Use dashboard type saved object to verify permission control when has workspaces property. If one saved object has workspaces property, the permission control logic will check if has related permissions to the workspaces. Then if it has permissions property, it will do the permission validation on the permissions property.

savedObjects.permission.enabled: true
workspace.enabled: true

To run all below tests, need to add above flags in opensearch_dashboards.yml, and install security-dashboards-plugin. There are two internal users will be used in following tests. Here are the user details:

  • user1:
    username: admin, password: myStrongPassword123! backend-roles: admin
  • user2:
    username: another-user, password: myStrongPassword123! backend-roles: kibanauser

The admin user is not a specific user here, all the permission control process is the same as a normal user.
We will add authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE= to curl command to simulate admin user and add authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh to simulate another-user.
After all the environments ready and user created, we can start to test permission control feature.

Create workspace

This steps is for creating test workspace for future test cases. Run below workspace create API.

curl 'http://localhost:5601/api/workspaces' \
  -X 'POST' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'Content-Type: application/json' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'osd-version: 3.0.0' \
  --data-raw '{"attributes":{"name":"admin-only-workspace"}}' \
  --compressed

Here is an example response, the workspace will be created. It will return a workspace id, can be used in following steps.

{"success":true,"result":{"id":"GVnXDv"}}

GVnXDv is the workspace id, since the workspace was created by admin user. The user will be assigned library_write and write permission to workspace. The another-user doesn't have this permission, we can try to get this workspace by below code.

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Try to get workspace with another-user, it will response {"success":false,"error":"Invalid saved objects permission"}.

create in permitted workspace

curl 'http://localhost:5601/api/saved_objects/dashboard' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin","hits":0,"description":"","panelsJSON":"[]","optionsJSON":"{\"useMargins\":true,\"hidePanelTitles\":false}","version":1,"timeRestore":false,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}},"references":[],"workspaces":["GVnXDv"]}' \
  --compressed

In above commands, it will create an dashboard in the admin-only-workspace. The admin user has library_write permission in the workspace. The create option will be succeed. The response dashboard id is 87af5db0-dc52-11ee-acaf-4d315f971049, we can try to get / update / delete this ID in next tests.

create in not permitted workspace

curl 'http://localhost:5601/api/saved_objects/dashboard' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin"},"workspaces":["GVnXDv"]}' \
  --compressed
{"statusCode":403,"error":"Forbidden","message":"Invalid workspace permission"}

In above commands, it try to create an dashboard in the admin-only-workspace. The another-user user doesn't have library_write permission in the workspace. The create option will be failed. It's show permission control for saved object work as expected.

create with overwrite

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049?overwrite=true' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin"}} \
  --compressed
{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This is another cases, the another-user user wants to overwrite an existing saved object. Seems the user doesn't have permission to the dashboard's workspaces and doesn't have permission to the dashboard saved object self. The operation was denied.

bulkCreate in permitted workspace

curl 'http://localhost:5601/api/saved_objects/_bulk_create?workspaces=GVnXDv' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be succeed, it will create a dashboard saved object in admin-only-workspace. We can write down the dashboard id fffe5ab0-dc83-11ee-9093-372beb25d7b4. Then we can used in the bulkGet method.

bulkCreate in not permitted workspace

curl 'http://localhost:5601/api/saved_objects/_bulk_create?workspaces=GVnXDv' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be failed. another-user doesn't have library_write permission in admin-only-workspace. It can't create saved objects in the workspace.

bulkCerate with override

curl 'http://localhost:5601/api/saved_objects/_bulk_create?overwrite=true' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-test-dashboard-admin"}}]' \
  --compressed

These above commands will be failed. another-user doesn't have permission to the existing saved objects. The overwrite operation will be denied.

get permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The admin user has library_write permission to dashboard saved object's workspace. The API return the dashboard object.

get not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The another-user user doesn't any permission to the dashboard saved object's workspace and itself. The API will response error.

get permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Since workspace is a hidden type in saved objects. It doesn't support call saved object get API directly. We need to call workspace get API instead. This will be succeed, since admin user has related permission.

get not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

This command will be failed. The workspace type saved object has permissions property. It will store permitted user in this property. The another-user doesn't in it. So the get API call will be failed.

bulk get permitted dashboard

curl 'http://localhost:5601/api/saved_objects/_bulk_get' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4"}]' \
  --compressed

This command will be succeed, it will return dashboards created in bulk create method.

bulk get not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/_bulk_get' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4"}]' \
  --compressed

Response:

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This command will be failed, the another-user doesn't have permission to related saved objects.

find all permitted workspaces

Since workspace is a hidden saved object, we can't call saved objects API directly. Call workspace list API instead.

  • For admin
curl 'http://localhost:5601/api/workspaces/_list' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{}' \
  --compressed

This above command will list all permitted workspaces for admin user. They will includes admin-only-workspaces.

  • For another-user
curl 'http://localhost:5601/api/workspaces/_list' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{}' \
  --compressed

This above command will list all permitted workspaces for another-user user. They won't includes admin-only-workspaces.

find all permitted saved objects in specific workspaces

curl 'http://localhost:5601/api/saved_objects/_find?workspaces=GVnXDv&type=dashboard' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The admin user has permission to admin-only-workspaces. So this find API will return all dashboard saved objects inner admin-only-workspace.

find saved objects in not permitted workspaces

curl 'http://localhost:5601/api/saved_objects/_find?workspaces=GVnXDv&type=dashboard' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

The another user doesn't has permission to admin-only-workspaces. So this find API call will be failed.

update permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'PUT' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin-new"}}' \
  --compressed

This command should be succeed, since call update the dashboard API with a permitted user.

update not permitted dashboards

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'PUT' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  -H 'Content-Type: application/json' \
  --data-raw '{"attributes":{"title":"test-dashboard-admin-new"}}' \
  --compressed
{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

This command should be failed, another-user doesn't have library_write permission to the workspace. The update operation should be denied.

update permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'PUT' \
 -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 -H 'Content-Type: application/json' \
 --data-raw '{"attributes":{"name":"admin-only-workspace-new-new"},"permissions": {"write": {"users": ["admin"]},"library_write": {"users": ["admin"]}}}' \
 --compressed

This command should be succeed, the workspace type saved object has permissions property. The admin is in the write principals list.

update not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'PUT' \
 -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 -H 'Content-Type: application/json' \
 --data-raw '{"attributes":{"name":"admin-only-workspace-new"}}' \
 --compressed

This command should be failed, The another-user doesn't have corresponding write permission in the workspace type saved objects.

bulk update in permitted dashboards

curl 'http://localhost:5601/api/saved_objects/_bulk_update' \
  -X 'PUT' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-update-dashboard"}}]' \
  --compressed

This command will be succeed. The admin user has library_write permission to every saved objects's workspace. It will return updated dashboards.

bulk update in not permitted dashboards

curl 'http://localhost:5601/api/saved_objects/_bulk_update' \
  -X 'PUT' \
  -H 'Content-Type: application/json' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --data-raw '[{"type":"dashboard","id":"fffe5ab0-dc83-11ee-9093-372beb25d7b4","attributes":{"title":"bulk-update-dashboard"}}]' \
  --compressed

This command will be failed. The another-user user doesn't have library_write permission to every saved objects's workspace.

delete not permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'DELETE' \
  -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{"statusCode":403,"error":"Forbidden","message":"Invalid saved objects permission"}

delete permitted dashboard

curl 'http://localhost:5601/api/saved_objects/dashboard/87af5db0-dc52-11ee-acaf-4d315f971049' \
  -X 'DELETE' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{}

delete not permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
 -X 'DELETE' \
 -H 'authorization: Basic YW5vdGhlci11c2VyOm15U3Ryb25nUGFzc3dvcmQxMjMh' \
 -H 'osd-version: 3.0.0' \
 -H 'osd-xsrf: osd-fetch' \
 --compressed

Response

{"success":false,"error":"Invalid saved objects permission"}

delete permitted workspace

curl 'http://localhost:5601/api/workspaces/GVnXDv' \
  -X 'DELETE' \
  -H 'authorization: Basic YWRtaW46bXlTdHJvbmdQYXNzd29yZDEyMyE=' \
  -H 'osd-version: 3.0.0' \
  -H 'osd-xsrf: osd-fetch' \
  --compressed

Response

{"success":true,"result":true}

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Copy link

codecov bot commented Mar 6, 2024

Codecov Report

Attention: Patch coverage is 85.58952% with 33 lines in your changes missing coverage. Please review.

Project coverage is 67.49%. Comparing base (7352365) to head (e50b60c).
Report is 555 commits behind head on main.

Files with missing lines Patch % Lines
src/plugins/workspace/server/routes/index.ts 17.64% 14 Missing ⚠️
..._objects/workspace_saved_objects_client_wrapper.ts 92.64% 3 Missing and 7 partials ⚠️
src/plugins/workspace/server/plugin.ts 72.72% 2 Missing and 1 partial ⚠️
src/plugins/workspace/server/workspace_client.ts 0.00% 3 Missing ⚠️
src/plugins/workspace/server/utils.ts 86.66% 0 Missing and 2 partials ⚠️
...gins/workspace/server/permission_control/client.ts 96.77% 0 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #6052      +/-   ##
==========================================
- Coverage   67.50%   67.49%   -0.01%     
==========================================
  Files        3370     3376       +6     
  Lines       65467    65783     +316     
  Branches    10564    10637      +73     
==========================================
+ Hits        44192    44401     +209     
- Misses      18700    18798      +98     
- Partials     2575     2584       +9     
Flag Coverage Δ
Linux_1 32.60% <78.60%> (+0.42%) ⬆️
Linux_2 55.60% <100.00%> (+0.02%) ⬆️
Linux_3 44.81% <0.00%> (-0.12%) ⬇️
Linux_4 35.04% <0.00%> (-0.08%) ⬇️
Windows_1 32.62% <78.60%> (+0.39%) ⬆️
Windows_2 55.57% <100.00%> (+0.02%) ⬆️
Windows_3 44.83% <0.00%> (-0.12%) ⬇️
Windows_4 35.04% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ashwin-pc
Copy link
Member

@wanglam How can i validate this change? Can ou add testing instructions to the PR description? It makes reviewing PR's a lot easier

@wanglam
Copy link
Contributor Author

wanglam commented Mar 7, 2024

@wanglam How can i validate this change? Can ou add testing instructions to the PR description? It makes reviewing PR's a lot easier

Hi Ashwin, I think we can follow the integration testing file (src/plugins/workspace/server/saved_objects/integration_tests/workspace_saved_objects_client_wrapper.test.ts) to do tests and validate this change. I will update the PR description later about how to call workspace CRUD and saved objects API to manual validate all changes.

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>
@Flyingliuhub
Copy link
Member

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

Thanks @wanglam, it seems like that we need to comment out all the feature flags for opensearch_security., not only for opensearch_security.multitenancy.enabled

workspace.enabled: true

@Flyingliuhub I tried the same curl command in my local env(security dashboard plugin enabled), with workspace feature flag enabled and savedObjects.permissions disabled. It works fine. curl command: image
I guess it may due to your code is not up-to-date. Could you please provide the commit id in your local env and try pull the latest code to verify?

The commit which I used is that commit 76523f5 (HEAD -> feat-add-permission-control-for-workspace) Author: Lin Wang [email protected] Date: Fri Mar 22 01:52:10 2024 +0800

Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

I got the same issue when I comment out all the multienancy. my configuration as following and enabled security plugin, and I pull the latest commit from your PR as well

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
workspace.enabled: true
savedObjects.permission.enabled: true
{"success":false,"error":"mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed: strict_dynamic_mapping_exception: [strict_dynamic_mapping_exception] Reason: mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"}
commit ee41fb5fb478783b70be9f5396e4d58d03353109 (HEAD -> feat-add-permission-control-for-workspace)
Merge: 94dafe5314 8810f08516
Author: Lin Wang <[email protected]>
Date:   Tue Apr 2 16:51:23 2024 +0800

    Merge remote-tracking branch 'origin/main' into feat-add-permission-control-for-workspace
    
    Signed-off-by: Lin Wang <[email protected]>

Flyingliuhub
Flyingliuhub previously approved these changes Apr 3, 2024
Copy link
Member

@SuZhou-Joe SuZhou-Joe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@wanglam
Copy link
Contributor Author

wanglam commented Apr 3, 2024

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

Thanks @wanglam, it seems like that we need to comment out all the feature flags for opensearch_security., not only for opensearch_security.multitenancy.enabled

workspace.enabled: true

@Flyingliuhub I tried the same curl command in my local env(security dashboard plugin enabled), with workspace feature flag enabled and savedObjects.permissions disabled. It works fine. curl command: image
I guess it may due to your code is not up-to-date. Could you please provide the commit id in your local env and try pull the latest code to verify?

The commit which I used is that commit 76523f5 (HEAD -> feat-add-permission-control-for-workspace) Author: Lin Wang [email protected] Date: Fri Mar 22 01:52:10 2024 +0800

Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

It seems this error doesn't caused by current PR. I've tested in the main branch and try to create workspace with permissions property using devtools. It throw the same error. I've created an issue(#6314) to track this bug. It should be fixed in the future PR. We can add opensearch_security.multitenancy.enabled: false to the opensearch_dashboards.yml to bypass this error.

I got the same issue when I comment out all the multienancy. my configuration as following and enabled security plugin, and I pull the latest commit from your PR as well

server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [authorization, securitytenant]
workspace.enabled: true
savedObjects.permission.enabled: true
{"success":false,"error":"mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed: strict_dynamic_mapping_exception: [strict_dynamic_mapping_exception] Reason: mapping set to strict, dynamic introduction of [permissions] within [_doc] is not allowed"}
commit ee41fb5fb478783b70be9f5396e4d58d03353109 (HEAD -> feat-add-permission-control-for-workspace)
Merge: 94dafe5314 8810f08516
Author: Lin Wang <[email protected]>
Date:   Tue Apr 2 16:51:23 2024 +0800

    Merge remote-tracking branch 'origin/main' into feat-add-permission-control-for-workspace
    
    Signed-off-by: Lin Wang <[email protected]>

The yarn start:security --no-base-path command will override the opensearch_security.multitenancy.enabled in opensearch_dashboards.yml. It will set multitenancy enabled to true even using false in opensearch_dashboards.yml. We can change to use yarn start --no-base-path to start the OSD server. Then the multitenancy can be turn off. The test can be run as expect.

@SuZhou-Joe SuZhou-Joe merged commit fb31b2d into opensearch-project:main Apr 3, 2024
70 checks passed
wanglam added a commit to wanglam/OpenSearch-Dashboards that referenced this pull request Apr 3, 2024
…ject#6052)

* Add permission control for workspace

Signed-off-by: Lin Wang <[email protected]>

* Add changelog for permission control in workspace

Signed-off-by: Lin Wang <[email protected]>

* Fix integration tests and remove no need type

Signed-off-by: Lin Wang <[email protected]>

* Update permission enabled for workspace CRUD integration tests

Signed-off-by: Lin Wang <[email protected]>

* Change back to config schema

Signed-off-by: Lin Wang <[email protected]>

* feat: do not append workspaces field when no workspaces present (#6)

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: authInfo destructure (#7)

* fix: authInfo destructure

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: unit test error

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* Fix permissions assign in attributes

Signed-off-by: Lin Wang <[email protected]>

* Remove deleteByWorkspace since not exists

Signed-off-by: Lin Wang <[email protected]>

* refactor: remove formatWorkspacePermissionModeToStringArray

Signed-off-by: Lin Wang <[email protected]>

* Remove current not used code

Signed-off-by: Lin Wang <[email protected]>

* Add missing unit tests for permission control

Signed-off-by: Lin Wang <[email protected]>

* Update workspaces API test describe

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests failed

Signed-off-by: Lin Wang <[email protected]>

* Address PR comments

Signed-off-by: Lin Wang <[email protected]>

* Store permissions when savedObjects.permissions.enabled

Signed-off-by: Lin Wang <[email protected]>

* Add permission control for deleteByWorkspace

Signed-off-by: Lin Wang <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests

Signed-off-by: Lin Wang <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
Signed-off-by: Lin Wang <[email protected]>
raintygao pushed a commit to ruanyl/OpenSearch-Dashboards that referenced this pull request Apr 7, 2024
* [Workspace]Add permission control logic for workspace (opensearch-project#6052)

* Add permission control for workspace

Signed-off-by: Lin Wang <[email protected]>

* Add changelog for permission control in workspace

Signed-off-by: Lin Wang <[email protected]>

* Fix integration tests and remove no need type

Signed-off-by: Lin Wang <[email protected]>

* Update permission enabled for workspace CRUD integration tests

Signed-off-by: Lin Wang <[email protected]>

* Change back to config schema

Signed-off-by: Lin Wang <[email protected]>

* feat: do not append workspaces field when no workspaces present (#6)

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: authInfo destructure (#7)

* fix: authInfo destructure

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: unit test error

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* Fix permissions assign in attributes

Signed-off-by: Lin Wang <[email protected]>

* Remove deleteByWorkspace since not exists

Signed-off-by: Lin Wang <[email protected]>

* refactor: remove formatWorkspacePermissionModeToStringArray

Signed-off-by: Lin Wang <[email protected]>

* Remove current not used code

Signed-off-by: Lin Wang <[email protected]>

* Add missing unit tests for permission control

Signed-off-by: Lin Wang <[email protected]>

* Update workspaces API test describe

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests failed

Signed-off-by: Lin Wang <[email protected]>

* Address PR comments

Signed-off-by: Lin Wang <[email protected]>

* Store permissions when savedObjects.permissions.enabled

Signed-off-by: Lin Wang <[email protected]>

* Add permission control for deleteByWorkspace

Signed-off-by: Lin Wang <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests

Signed-off-by: Lin Wang <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
Signed-off-by: Lin Wang <[email protected]>

* Convert permission settings in client side

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace list always render

Signed-off-by: Lin Wang <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-6052-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 fb31b2def6a6200425492d772a8d0b1bdfcbe132
# Push it to GitHub
git push --set-upstream origin backport/backport-6052-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-6052-to-2.x.

wanglam added a commit to wanglam/OpenSearch-Dashboards that referenced this pull request Apr 18, 2024
…ject#6052)

* Add permission control for workspace

Signed-off-by: Lin Wang <[email protected]>

* Add changelog for permission control in workspace

Signed-off-by: Lin Wang <[email protected]>

* Fix integration tests and remove no need type

Signed-off-by: Lin Wang <[email protected]>

* Update permission enabled for workspace CRUD integration tests

Signed-off-by: Lin Wang <[email protected]>

* Change back to config schema

Signed-off-by: Lin Wang <[email protected]>

* feat: do not append workspaces field when no workspaces present (#6)

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: authInfo destructure (#7)

* fix: authInfo destructure

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: unit test error

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* Fix permissions assign in attributes

Signed-off-by: Lin Wang <[email protected]>

* Remove deleteByWorkspace since not exists

Signed-off-by: Lin Wang <[email protected]>

* refactor: remove formatWorkspacePermissionModeToStringArray

Signed-off-by: Lin Wang <[email protected]>

* Remove current not used code

Signed-off-by: Lin Wang <[email protected]>

* Add missing unit tests for permission control

Signed-off-by: Lin Wang <[email protected]>

* Update workspaces API test describe

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests failed

Signed-off-by: Lin Wang <[email protected]>

* Address PR comments

Signed-off-by: Lin Wang <[email protected]>

* Store permissions when savedObjects.permissions.enabled

Signed-off-by: Lin Wang <[email protected]>

* Add permission control for deleteByWorkspace

Signed-off-by: Lin Wang <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests

Signed-off-by: Lin Wang <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
wanglam added a commit to wanglam/OpenSearch-Dashboards that referenced this pull request Apr 18, 2024
…ject#6052)

* Add permission control for workspace

Signed-off-by: Lin Wang <[email protected]>

* Add changelog for permission control in workspace

Signed-off-by: Lin Wang <[email protected]>

* Fix integration tests and remove no need type

Signed-off-by: Lin Wang <[email protected]>

* Update permission enabled for workspace CRUD integration tests

Signed-off-by: Lin Wang <[email protected]>

* Change back to config schema

Signed-off-by: Lin Wang <[email protected]>

* feat: do not append workspaces field when no workspaces present (#6)

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

* feat: do not append workspaces field when no workspaces present

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: authInfo destructure (#7)

* fix: authInfo destructure

Signed-off-by: SuZhou-Joe <[email protected]>

* fix: unit test error

Signed-off-by: SuZhou-Joe <[email protected]>

---------

Signed-off-by: SuZhou-Joe <[email protected]>

* Fix permissions assign in attributes

Signed-off-by: Lin Wang <[email protected]>

* Remove deleteByWorkspace since not exists

Signed-off-by: Lin Wang <[email protected]>

* refactor: remove formatWorkspacePermissionModeToStringArray

Signed-off-by: Lin Wang <[email protected]>

* Remove current not used code

Signed-off-by: Lin Wang <[email protected]>

* Add missing unit tests for permission control

Signed-off-by: Lin Wang <[email protected]>

* Update workspaces API test describe

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests failed

Signed-off-by: Lin Wang <[email protected]>

* Address PR comments

Signed-off-by: Lin Wang <[email protected]>

* Store permissions when savedObjects.permissions.enabled

Signed-off-by: Lin Wang <[email protected]>

* Add permission control for deleteByWorkspace

Signed-off-by: Lin Wang <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Update src/plugins/workspace/server/permission_control/client.ts

Signed-off-by: SuZhou-Joe <[email protected]>

* Refactor permissions field in workspace create and update API

Signed-off-by: Lin Wang <[email protected]>

* Fix workspace CRUD API integration tests

Signed-off-by: Lin Wang <[email protected]>

---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
SuZhou-Joe added a commit that referenced this pull request Apr 19, 2024
* Add permission control for workspace



* Add changelog for permission control in workspace



* Fix integration tests and remove no need type



* Update permission enabled for workspace CRUD integration tests



* Change back to config schema



* feat: do not append workspaces field when no workspaces present (#6)

* feat: do not append workspaces field when no workspaces present



* feat: do not append workspaces field when no workspaces present



---------



* fix: authInfo destructure (#7)

* fix: authInfo destructure



* fix: unit test error



---------



* Fix permissions assign in attributes



* Remove deleteByWorkspace since not exists



* refactor: remove formatWorkspacePermissionModeToStringArray



* Remove current not used code



* Add missing unit tests for permission control



* Update workspaces API test describe



* Fix workspace CRUD API integration tests failed



* Address PR comments



* Store permissions when savedObjects.permissions.enabled



* Add permission control for deleteByWorkspace



* Update src/plugins/workspace/server/permission_control/client.ts



* Update src/plugins/workspace/server/permission_control/client.ts



* Refactor permissions field in workspace create and update API



* Fix workspace CRUD API integration tests



---------

Signed-off-by: Lin Wang <[email protected]>
Signed-off-by: SuZhou-Joe <[email protected]>
Co-authored-by: SuZhou-Joe <[email protected]>
Co-authored-by: ZilongX <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet