[Feature/Identity] Basic permissions checking from Subject #5089
Conversation
Gradle Check (Jenkins) Run Completed with:
|
peternied
changed the title
| private final String[] permissionChunks; | ||
|
|
||
| public Permission(final String permission) { | ||
| this.permissionChunks = permission.split("\\."); |
There was a problem hiding this comment.
Can this be made into a constant. wdyt about PERMISSION_DELIMITER?
There was a problem hiding this comment.
We should create another constructor, which accepts delimiter as an argument.
There was a problem hiding this comment.
These permissions should have a consistent format, following @cwperks suggestion
server/src/main/java/org/opensearch/action/admin/indices/create/CreateIndexAction.java
Outdated
Show resolved
Hide resolved
sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
Outdated
Show resolved
Hide resolved
| @Override | ||
| public List<String> requiredPermissions() { | ||
| return List.of( | ||
| "opensearch.engine.index.create", |
There was a problem hiding this comment.
This is a good place to start and should be expandable to index patterns. Are you thinking that all permissions in core be preceded with opensearch.engine and there will be a separate convention for actions added by plug-ins or modules?
There was a problem hiding this comment.
For this specific request when it comes to indexing, its clearly part of the core/engine, or maybe the prefix should just be opensearch.indexing.index.create. Maybe of the nature [Source].[Category].[Object].[Action]?
I don't plan on iterating on this name for this pull request and we will need to follow up in the broader vNext permissions conversation.
There was a problem hiding this comment.
Should these be loaded from a file or some other store? (Could be part of next iteration)
There was a problem hiding this comment.
I looked into the relationship between permissions and actions and there is no good mechanism
to engage with actions in a way that produces a list of permissions.
Exploring the ActionModule there is a common system to register actions however this registration doesn't pass all of the information about action execution, it passes a limited version.
What I would recommend would be creating a new description for action related data that encompasses the action type, action request, action response, and the action handler. Building this into or around the ActionModule seems appropriate but this will need to be rolled out over time since it would be backwards incompatible to plugins. This is a good follow up item.
| this.permissionChunks = permission.split("\\."); | ||
| } | ||
|
|
||
| public boolean matches(final String permissionRequired) { |
There was a problem hiding this comment.
seems like we can leverage equals method here. Thoughts?
There was a problem hiding this comment.
A user might have a grant represented as opensearch.indexing.index, and the checked permission will be opensearch.indexing.index.create. This isn't an equality check, but a check if the permission grant matches the permission checked.
As I'm writing this out, it might make sense to create different objects to represent the grant vs the permission them selves - I'll revisit this
| private final String[] permissionChunks; | ||
|
|
||
| public Permission(final String permission) { | ||
| this.permissionChunks = permission.split("\\."); |
There was a problem hiding this comment.
We should create another constructor, which accepts delimiter as an argument.
sandbox/libs/authn/src/main/java/org/opensearch/authn/Subject.java
Outdated
Show resolved
Hide resolved
| @Override | ||
| public List<String> requiredPermissions() { | ||
| return List.of( | ||
| "opensearch.engine.index.create", |
There was a problem hiding this comment.
Should these be loaded from a file or some other store? (Could be part of next iteration)
| if (unauthorizedException != null) { | ||
| listener.onFailure(unauthorizedException); | ||
| return; | ||
| } |
server/src/main/java/org/opensearch/identity/noop/NoopSubject.java
Outdated
Show resolved
Hide resolved
Adds capability for subject to check if a permission is allowed or not and creates a mechanism for actions to describe the permissinos associated with them. Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
peternied
force-pushed
the
check-permissions
branch
from
014adb4
to
ba6f5cb
Compare
peternied
requested review from
anasalkouz,
andrross,
Bukhtawar,
CEHENKLE,
dblock,
gbbafna,
setiah,
kartg,
kotwanikunal,
mch2,
nknize,
owaiskazi19,
adnapibar,
Rishikesh1159,
ryanbogan,
saratvemulapalli,
shwetathareja,
dreamer-89,
tlfeng,
VachaShah and
xuezhou25
as code owners
Signed-off-by: Peter Nied <[email protected]>
Signed-off-by: Peter Nied <[email protected]>
| try { | ||
| this.permissionChunks = permission.split(PERMISSION_DELIMITER); | ||
| } catch (Exception) { | ||
| throw new InvalidPermissionName(permission); | ||
| } |
There was a problem hiding this comment.
This change is related to the change suggestion below for checkIsValid method
| try { | |
| this.permissionChunks = permission.split(PERMISSION_DELIMITER); | |
| } catch (Exception) { | |
| throw new InvalidPermissionName(permission); | |
| } | |
| this.permissionChunks = splitIntoChunks(permission); |
There was a problem hiding this comment.
I did this to throw the specific type of exception rather than having a 'string' format issue be seen
There was a problem hiding this comment.
okay, i was thinking it from reusability side of things. Maybe we can change definition of the constructor and the splitIntoChunks throws InvalidPermissionException. Thoughts?
| public static void checkIsValid(final String permission) { | ||
| new Permission(permission); | ||
| } |
There was a problem hiding this comment.
We can introduce following for re-usability, instead of creating a new unused object everytime this method is called
| public static void checkIsValid(final String permission) { | |
| new Permission(permission); | |
| } | |
| private static String[] splitIntoChunks(final String permission){ | |
| try { | |
| return permission.split(PERMISSION_DELIMITER); | |
| } catch (Exception) { | |
| throw new InvalidPermissionName(permission); | |
| } | |
| } | |
| public static void checkIsValid(final String permission) { | |
| splitIntoChunks(permission); | |
| } |
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
Signed-off-by: Peter Nied <[email protected]>
Gradle Check (Jenkins) Run Completed with:
|
|
@cwperks already has trail blazed in this space #6029 @scrawfor99 this is a good reference for a rudimentary permission checking as applied in OpenSearch, Craig's PR above is a a way to see how shiro integration could handle some of that logic. I think we will need a blending of this and your changes we good forward |
Description
Adds capability for subject to check if a permission is allowed or not and creates a mechanism for actions to describe the permissions associated with them.
Issues Resolved
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.