diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java index 1c19be1af757d..9b91d4cea5cfb 100644 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java +++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permission.java @@ -21,17 +21,16 @@ abstract class Permission { // If using string-object permissions, you use the invalid characters for ensuring formatting String[] INVALID_CHARACTERS; - // An array of the valid operations which a permission can grant the privilege to perform. - String[] QUALIFIED_OPERATIONS; + // An array of the valid actions which a permission can grant the privilege to perform. + String[] QUALIFIED_ACTIONS; - // An array of the available resources which a permission can grant some operation to act upon. + // An array of the available resources which a permission can grant some action to act upon. String[] QUALIFIED_RESOURCES; String permissionString; - // Every permissionString must be resolvable to its constituent parts: .. + // Every permissionString must be resolvable to its constituent parts: . // These are then stored separately to avoid costly String manipulation. - String principal; String resource; diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionHandler.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionHandler.java deleted file mode 100644 index 316a1c82b99d5..0000000000000 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionHandler.java +++ /dev/null @@ -1,55 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - */ - -package org.opensearch.authn; - -import java.util.ArrayList; - -/** - * This interface represents the abstract notion of a permission handler. A permission handler needs to be able to service the - * assignment and verification of permissions. - * - * @opensearch.experimental - */ -public interface PermissionHandler { - - // Currently have users --> roles --> permissions want user --> permissions but permissions should be stored elsewhere not directly with - // the user objects - // Do not need the higher level construct - // Want to be able to resolve users to a list of permission - // Multi-tenancy is like a private index -- not going to be considered for now. - // Each grant having an ID and have a table then the endpoint has the username and a permission -- this grant could end up as a document - // in an index - - /** - * This function grants an array of permission to a subject when provided a permission array and returns a grant identifier representing the permission - * grant event. It does so by adding the identifier and associated permissions to a permission storage data structure. A valid permission - * storage structure can be any structure that can hold generic or String-objects and which allows at least O(n) traversal as well as the keying of - * permissions by identifier strings. For example an OpenSearch index or for small modeling clusters, a HashMap in memory. - * - * A SQL-style database solution is possible by storing the identifier and then the separated components of the Permissions. - * - * A principal should never be able to grant a permission to itself and implementations should ensure that only valid - * and permitted Subjects are able to execute this operation. - */ - public String putPermissions(Permission[] permission); - - /** - * Returns a list of the permissions granted during a permission grant event. - * Requires that the grantIdentifier exist, should throw an error if none can be found. - * Invalid permission checks should be rejected. - */ - public ArrayList getPermissions(String grantIdentifier); - - /** - * This function in-place deletes all targeted permissions associated with a given permission grant event. - * This function should be implemented such that '*' means that all permissions associated with the grant event are deleted. - */ - public void deletePermissions(String permissionIdentifier, Permission[] permissions); - -} diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionManager.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionManager.java deleted file mode 100644 index 2e81efa44e9bb..0000000000000 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionManager.java +++ /dev/null @@ -1,86 +0,0 @@ -/* - * SPDX-License-Identifier: Apache-2.0 - * - * The OpenSearch Contributors require contributions made to - * this file be licensed under the Apache-2.0 license or a - * compatible open source license. - */ - -package org.opensearch.authn; - -import org.apache.commons.lang.RandomStringUtils; -import org.apache.logging.log4j.LogManager; -import org.apache.logging.log4j.Logger; - -import java.util.ArrayList; -import java.util.regex.Pattern; - -public class PermissionManager implements PermissionHandler { - - PermissionStorage permissionStorage = new PermissionStorage(); - - protected final Logger log = LogManager.getLogger(this.getClass()); - - /** - * This function takes a Permission array and adds it to permission storage. - * It returns a random ID corresponding to the permission grant event. - */ - @Override - public String putPermissions(Permission[] permissions) { - - ArrayList toGrant = new ArrayList<>(); - - // Check that the permissions are all valid and remove any that are invalid from the grant - for (Permission permission : permissions) { - - if (permission.isValidFormat()) { - toGrant.add(permission); - } - } - - // When a permission grant event occurs, a unique identifier should be returned as a reference; also usable for logging - String grantIdentifier = RandomStringUtils.randomAlphanumeric(32); - - permissionStorage.put(grantIdentifier, toGrant); - - log.debug("Permission grant event completed, grant identifier: ", grantIdentifier); - - return grantIdentifier; - } - - /** - * Return an ArrayList of all the permissions associated with a single permission grant event - */ - @Override - public ArrayList getPermissions(String grantIdentifier) { - - log.debug("Checking permissions from grant event: ", grantIdentifier); - return permissionStorage.get(grantIdentifier); - } - - /** - * Delete target permissions associated with a given permission grant event. - */ - @Override - public void deletePermissions(String grantIdentifier, Permission[] permissions) { - - permissionStorage.delete(grantIdentifier, permissions); - } - - /** - * Delete permissions based off of regex strings. - */ - public void deletePermissions(String grantIdentifier, String regex) { - - // TODO: There may be a better way to do this. - ArrayList grantedPermissions = permissionStorage.get(grantIdentifier); - ArrayList toDelete = new ArrayList<>(); - for (Permission permission : grantedPermissions) { - if (Pattern.matches(regex, permission.permissionString)) { - toDelete.add(permission); - } - } - Object[] toDeleteArray = toDelete.toArray(); - permissionStorage.delete(grantIdentifier, (Permission[]) toDeleteArray); - } -} diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStorage.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStorage.java index 913ec37eb6527..49e84e7843e3b 100644 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStorage.java +++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStorage.java @@ -19,30 +19,30 @@ public class PermissionStorage implements PermissionStore { public HashMap> permissionStore = new HashMap<>(); @Override - public void put(String eventIdentifier, ArrayList permissions) { + public void put(String principalString, ArrayList permissions) { - permissionStore.put(eventIdentifier, permissions); + permissionStore.put(principalString, permissions); } @Override - public ArrayList get(String eventIdentifier) { + public ArrayList get(String principalString) { - return permissionStore.get(eventIdentifier); + return permissionStore.get(principalString); } @Override - public void delete(String eventIdentifier, Permission[] permissions) { + public void delete(String principalString, Permission[] permissions) { for (Permission permission : permissions) { - permissionStore.remove(eventIdentifier, permission); + permissionStore.remove(principalString, permission); } } // Allow for using a String regex expression to delete an entire pair from the map. - public void delete(String eventIdentifier, String regex) { + public void delete(String principalString, String regex) { if (regex.equals("*")) { - permissionStore.remove(eventIdentifier); + permissionStore.remove(principalString); } } } diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStore.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStore.java index e1f5d8665f682..2f8a6874aedd7 100644 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStore.java +++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/PermissionStore.java @@ -25,23 +25,22 @@ public interface PermissionStore { /** - * This function adds a new grant permissions event to the permissions store. The eventIdentifier is a unique string that - * represents the event (it does not need to be encrypted and should not be deterministic unless time is a factor of the generation). - * The ArrayList is a list of all permissions that are being granted during the associated event and should be referencable - * by the eventIdentifier. + * This function adds a set of permissions to the permission store. The principalString is a unique string that + * corresponds to the subject which the permissions are being granted to. + * The ArrayList is a list of all permissions that are being granted. */ - public void put(String eventIdentifier, ArrayList permissions); + public void put(String principalString, ArrayList permissions); /** - * This function returns the ArrayList of permissions added to the permission store during the provided permission grant event. + * This function returns the ArrayList of permissions associated with the provided principalString. * If permissions are modified during storage they must be reverted back to their original state during get(). */ - public ArrayList get(String eventIdentifier); + public ArrayList get(String principalString); /** - * This function in-place deletes all targeted permissions associated with a given permission grant event. + * This function in-place deletes all targeted permissions associated with a given principalString. * This function should be implemented such that '*' means that all permissions associated with the grant event are deleted. */ - public void delete(String eventIdentifier, Permission[] permissions); + public void delete(String principalString, Permission[] permissions); } diff --git a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permissions.java b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permissions.java index 27464530d422f..96dad71f4aa0d 100644 --- a/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permissions.java +++ b/sandbox/libs/authn/src/main/java/org/opensearch/authn/Permissions.java @@ -31,7 +31,6 @@ public class Permissions extends Permission { public String[] permissionSegments; - public String principal; public String resource; public String action; @@ -41,15 +40,13 @@ public void Permission(String permission) { this.permissionString = permission; this.permissionSegments = permissionString.split(PERMISSION_DELIMITER); - this.principal = permissionSegments[0]; - this.resource = permissionSegments[1]; - this.action = permissionSegments[2]; + this.resource = permissionSegments[0]; + this.action = permissionSegments[1]; } /** * Check that the permission does not contain any forbidden strings. - * This set implementation does so in O(n). - * Assumes that the permission is formatted as .. + * Assumes that the permission is formatted as . * The principal should already be verified before the permission is created. */ @Override @@ -57,9 +54,7 @@ public boolean isValidFormat() { // Check for illegal characters in any of the permission segments O(3n) for (int i = 0; i < INVALID_CHARACTERS.length; i++) { - if (this.principal.contains(INVALID_CHARACTERS[i]) - || this.resource.contains(INVALID_CHARACTERS[i]) - || this.action.contains(INVALID_CHARACTERS[i])) { + if (this.resource.contains(INVALID_CHARACTERS[i]) || this.action.contains(INVALID_CHARACTERS[i])) { return false; } }