Skip to content

Commit

Permalink
[Backport 2.x] Adds Multiple Datasources Support for Security Dashboa…
Browse files Browse the repository at this point in the history
…rds Plugin (#1888) (#1911)

Signed-off-by: Darshit Chanpura <[email protected]>
Signed-off-by: Derek Ho <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>
Co-authored-by: Darshit Chanpura <[email protected]>
  • Loading branch information
3 people authored Apr 26, 2024
1 parent 8082705 commit 54f9b35
Show file tree
Hide file tree
Showing 88 changed files with 3,342 additions and 535 deletions.
28 changes: 6 additions & 22 deletions .github/actions/download-plugin/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ inputs:
description: 'The version of security plugin that should be used, e.g "2.6.0.0"'
required: true

download-location:
description: 'The location of where to download the plugin'
required: true

runs:
using: "composite"
steps:
Expand All @@ -22,26 +26,6 @@ runs:
-DremoteRepositories=https://aws.oss.sonatype.org/content/repositories/snapshots/ \
-Dartifact=org.opensearch.plugin:${{ inputs.plugin-name }}:${{ inputs.plugin-version }}-SNAPSHOT:zip \
-Dtransitive=false \
-Ddest=${{ inputs.plugin-name }}.zip
-Ddest=${{ inputs.download-location }}.zip
shell: bash
- name: Create Setup Script for Linux
if: ${{ runner.os == 'Linux' }}
run: |
cat > setup.sh <<'EOF'
chmod +x ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh
/bin/bash -c "yes | ./opensearch-${{ inputs.opensearch-version}}-SNAPSHOT/plugins/${{ inputs.plugin-name }}/tools/install_demo_configuration.sh -t"
echo "plugins.security.unsupported.restapi.allow_securityconfig_modification: true" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
echo "cluster.routing.allocation.disk.threshold_enabled: false" >> ./opensearch-${{ inputs.opensearch-version }}-SNAPSHOT/config/opensearch.yml
EOF
shell: bash

- name: Create Setup Script for Windows
if: ${{ runner.os == 'Windows' }}
run: |
New-Item .\setup.bat -type file
Set-Content .\setup.bat -Value "powershell.exe -noexit -command `".\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\plugins\${{ inputs.plugin-name }}\tools\install_demo_configuration.bat -y -i -c -t`""
Add-Content -Path .\setup.bat -Value "echo plugins.security.unsupported.restapi.allow_securityconfig_modification: true >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
Add-Content -Path .\setup.bat -Value "echo cluster.routing.allocation.disk.threshold_enabled: false >> .\opensearch-${{ inputs.opensearch-version}}-SNAPSHOT\config\opensearch.yml"
Get-Content .\setup.bat
shell: pwsh
16 changes: 10 additions & 6 deletions .github/actions/run-cypress-tests/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ runs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with A Single Plugin
uses: derek-ho/start-opensearch@v2
Expand Down Expand Up @@ -62,7 +63,7 @@ runs:
if: ${{ runner.os == 'Linux' }}
run: |
cd ./OpenSearch-Dashboards
nohup yarn start --no-base-path --no-watch | tee dashboard.log &
nohup yarn start --no-base-path --no-watch --csp.warnLegacyBrowsers=false | tee dashboard.log &
shell: bash

# Check if OSD is ready with a max timeout of 600 seconds
Expand All @@ -84,8 +85,11 @@ runs:
done
shell: bash

- name: Run Cypress
run : |
yarn add cypress --save-dev
eval ${{ inputs.yarn_command }}
shell: bash
- name: Run Cypress Tests with retry
uses: Wandalen/[email protected]
with:
attempt_limit: 5
attempt_delay: 2000
command: |
yarn add cypress --save-dev
eval ${{ inputs.yarn_command }}
49 changes: 49 additions & 0 deletions .github/workflows/cypress-test-multidatasources-disabled-e2e.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: E2E multi datasources disabled workflow

on: [ push, pull_request ]

env:
OPENSEARCH_VERSION: '3.0.0'
CI: 1
# avoid warnings like "tput: No value for $TERM and no -T specified"
TERM: xterm
PLUGIN_NAME: opensearch-security
OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!

jobs:
tests:
name: Run Cypress multidatasources tests
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
runs-on: ${{ matrix.os }}

steps:
- name: Checkout Branch
uses: actions/checkout@v3

# Configure the Dashboard for multi datasources disabled (default)
- name: Create OpenSearch Dashboards Config
if: ${{ runner.os == 'Linux' }}
run: |
cat << 'EOT' > opensearch_dashboards_multidatasources.yml
server.host: "0.0.0.0"
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false
data_source.enabled: false
home.disableWelcomeScreen: true
EOT
- name: Run Cypress Tests
uses: ./.github/actions/run-cypress-tests
with:
dashboards_config_file: opensearch_dashboards_multidatasources.yml
yarn_command: 'yarn cypress:run --browser chrome --headless --env LOGIN_AS_ADMIN=true --spec "test/cypress/e2e/multi-datasources/multi_datasources_disabled.spec.js"'
109 changes: 109 additions & 0 deletions .github/workflows/cypress-test-multidatasources-enabled-e2e.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: E2E multi datasources enabled workflow

on: [ push, pull_request ]

env:
OPENSEARCH_VERSION: '3.0.0'
CI: 1
# avoid warnings like "tput: No value for $TERM and no -T specified"
TERM: xterm
PLUGIN_NAME: opensearch-security
OPENSEARCH_INITIAL_ADMIN_PASSWORD: myStrongPassword123!

jobs:
tests:
name: Run Cypress multidatasources tests
strategy:
fail-fast: false
matrix:
os: [ ubuntu-latest ]
runs-on: ${{ matrix.os }}

steps:
- name: Checkout Branch
uses: actions/checkout@v3

- name: Set env
run: |
opensearch_version=$(node -p "require('./package.json').opensearchDashboards.version")
plugin_version=$(node -p "require('./package.json').version")
echo "OPENSEARCH_VERSION=$opensearch_version" >> $GITHUB_ENV
echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
shell: bash

# Add Custom Configuration to differentiate between local and remote cluster
- name: Create Custom Configuration for Linux
if: ${{ runner.os == 'Linux'}}
run: |
echo "Creating new custom configuration"
cat << 'EOT' > config_custom.yml
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
EOT
- name: Download security plugin and create setup scripts
uses: ./.github/actions/download-plugin
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{env.PLUGIN_NAME}}

- name: Run Opensearch with A Single Plugin
uses: derek-ho/start-opensearch@v4
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugins: "file:$(pwd)/opensearch-security.zip"
security-enabled: true
admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
security_config_file: config_custom.yml
port: 9202

- name: Check OpenSearch is running
# Verify that the server is operational
run: |
curl https://localhost:9202/_cat/plugins -v -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k
shell: bash

# Configure the Dashboard for multi datasources
- name: Create OpenSearch Dashboards Config
if: ${{ runner.os == 'Linux' }}
run: |
cat << 'EOT' > opensearch_dashboards_multidatasources.yml
server.host: "localhost"
opensearch.hosts: ["https://localhost:9200"]
opensearch.ssl.verificationMode: none
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: true
opensearch_security.multitenancy.tenants.preferred: ["Private", "Global"]
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
opensearch_security.cookie.secure: false
data_source.enabled: true
home.disableWelcomeScreen: true
data_source.ssl.verificationMode: none
EOT
- name: Run Cypress Tests
uses: ./.github/actions/run-cypress-tests
with:
dashboards_config_file: opensearch_dashboards_multidatasources.yml
yarn_command: 'yarn cypress:run --browser chrome --headless --env LOGIN_AS_ADMIN=true --spec "test/cypress/e2e/multi-datasources/multi_datasources_enabled.spec.js"'
1 change: 1 addition & 0 deletions .github/workflows/cypress-test-tenancy-disabled.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/cypress-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
28 changes: 25 additions & 3 deletions .github/workflows/integration-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ jobs:
matrix:
os: [ ubuntu-latest , windows-latest ]
runs-on: ${{ matrix.os }}
env:
OPENSEARCH_INITIAL_ADMIN_PASSWORD: admin

steps:
- name: Checkout Branch
Expand All @@ -36,13 +34,37 @@ jobs:
echo "PLUGIN_VERSION=$plugin_version" >> $GITHUB_ENV
shell: bash

- name: Download security plugin and create setup scripts
- name: Download security plugin and create setup scripts for remote cluster
uses: ./.github/actions/download-plugin
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
download-location: ${{env.PLUGIN_NAME}}-${{ env.OPENSEARCH_VERSION }}
plugin-version: ${{ env.PLUGIN_VERSION }}

- name: Download security plugin and create setup scripts for local cluster
uses: ./.github/actions/download-plugin
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
download-location: ${{env.PLUGIN_NAME}}
plugin-version: ${{ env.PLUGIN_VERSION }}

- name: Run Opensearch with A Single Plugin Remote Cluster
uses: derek-ho/start-opensearch@v4
with:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugins: "file:$(pwd)/opensearch-security-${{ env.OPENSEARCH_VERSION }}.zip"
security-enabled: true
admin-password: ${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }}
security_config_file: ${{ inputs.security_config_file }}
port: 9202

- name: Check OpenSearch remote is running
run: |
curl https://localhost:9202/_cat/plugins -v -u admin:${{ env.OPENSEARCH_INITIAL_ADMIN_PASSWORD }} -k
shell: bash

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
with:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/verify-binary-installation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ jobs:
opensearch-version: ${{ env.OPENSEARCH_VERSION }}
plugin-name: ${{ env.PLUGIN_NAME }}
plugin-version: ${{ env.PLUGIN_VERSION }}
download-location: ${{ env.PLUGIN_NAME }}

- name: Run Opensearch with security
uses: derek-ho/start-opensearch@v2
Expand Down
2 changes: 2 additions & 0 deletions common/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ export const MAX_INTEGER = 2147483647;
export const MAX_LENGTH_OF_COOKIE_BYTES = 4000;
export const ESTIMATED_IRON_COOKIE_OVERHEAD = 1.5;

export const LOCAL_CLUSTER_ID = '';

export enum AuthType {
BASIC = 'basicauth',
OPEN_ID = 'openid',
Expand Down
4 changes: 4 additions & 0 deletions cypress.config.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,9 @@ module.exports = defineConfig({
openSearchUrl: 'https://localhost:9200',
adminUserName: 'admin',
adminPassword: 'myStrongPassword123!',
externalDataSourceAdminUserName: 'admin',
externalDataSourceAdminPassword: 'myStrongPassword123!',
externalDataSourceLabel: '9202',
externalDataSourceEndpoint: 'https://localhost:9202'
},
});
4 changes: 3 additions & 1 deletion opensearch_dashboards.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
"savedObjectsManagement"
],
"optionalPlugins": [
"managementOverview"
"managementOverview",
"dataSource",
"dataSourceManagement"
],
"server": true,
"ui": true
Expand Down
28 changes: 21 additions & 7 deletions public/apps/account/utils.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -16,20 +16,30 @@
import { HttpStart } from 'opensearch-dashboards/public';
import { API_AUTH_LOGOUT } from '../../../common';
import { setShouldShowTenantPopup } from '../../utils/storage-utils';
import { httpGet, httpGetWithIgnores, httpPost } from '../configuration/utils/request-utils';
import { API_ENDPOINT_ACCOUNT_INFO } from './constants';
import { AccountInfo } from './types';
import { createLocalClusterRequestContext } from '../configuration/utils/request-utils';

export function fetchAccountInfo(http: HttpStart): Promise<AccountInfo> {
return httpGet(http, API_ENDPOINT_ACCOUNT_INFO);
return createLocalClusterRequestContext().httpGet({
http,
url: API_ENDPOINT_ACCOUNT_INFO,
});
}

export async function fetchAccountInfoSafe(http: HttpStart): Promise<AccountInfo | undefined> {
return httpGetWithIgnores<AccountInfo>(http, API_ENDPOINT_ACCOUNT_INFO, [401]);
return createLocalClusterRequestContext().httpGetWithIgnores<AccountInfo>({
http,
url: API_ENDPOINT_ACCOUNT_INFO,
ignores: [401],
});
}

export async function logout(http: HttpStart, logoutUrl?: string): Promise<void> {
await httpPost(http, API_AUTH_LOGOUT);
await createLocalClusterRequestContext().httpPost({
http,
url: API_AUTH_LOGOUT,
});
setShouldShowTenantPopup(null);
// Clear everything in the sessionStorage since they can contain sensitive information
sessionStorage.clear();
Expand All @@ -52,8 +62,12 @@ export async function updateNewPassword(
newPassword: string,
currentPassword: string
): Promise<void> {
await httpPost(http, API_ENDPOINT_ACCOUNT_INFO, {
password: newPassword,
current_password: currentPassword,
await createLocalClusterRequestContext().httpPost({
http,
url: API_ENDPOINT_ACCOUNT_INFO,
body: {
password: newPassword,
current_password: currentPassword,
},
});
}
Loading

0 comments on commit 54f9b35

Please sign in to comment.