Revert "backport cluster evaluation permissions #1885 to opendistro-1…

….11 (#1986)" This reverts commit ec80578. Signed-off-by: Rutuja Surve <[email protected]>
opensearch-project · Aug 10, 2022 · 51b83b2 · 51b83b2
1 parent ec80578
commit 51b83b2
Show file tree

Hide file tree

Showing 7 changed files with 3 additions and 259 deletions.
diff --git a/...n/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java b/...n/java/com/amazon/opendistroforelasticsearch/security/privileges/PrivilegesEvaluator.java
@@ -585,7 +585,6 @@ private Set<String> evaluateAdditionalIndexPermissions(final ActionRequest reque
     private static boolean isClusterPerm(String action0) {
         return  (    action0.startsWith("cluster:")
                 || action0.startsWith("indices:admin/template/")
-                || action0.startsWith("indices:admin/index_template/")
 
             || action0.startsWith(SearchScrollAction.NAME)
             || (action0.equals(BulkAction.NAME))

diff --git a/...n/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java b/...n/java/com/amazon/opendistroforelasticsearch/security/resolver/IndexResolverReplacer.java
@@ -46,7 +46,6 @@
 import java.util.regex.PatternSyntaxException;
 import java.util.stream.Collectors;
 
-import org.apache.commons.collections.keyvalue.MultiKey;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.elasticsearch.action.ActionRequest;
@@ -758,4 +757,4 @@ else if (RestoreSnapshotRequest.class.isInstance(localRequest)) {
     public void onDynamicConfigModelChanged(DynamicConfigModel dcm) {
         respectRequestIndicesOptions = dcm.isRespectRequestIndicesEnabled();
     }
-}
+}
diff --git a/.../amazon/opendistroforelasticsearch/security/IndexTemplateClusterPermissionsCheckTest.java b/.../amazon/opendistroforelasticsearch/security/IndexTemplateClusterPermissionsCheckTest.java
diff --git a/...test/java/com/amazon/opendistroforelasticsearch/security/test/helper/rest/RestHelper.java b/...test/java/com/amazon/opendistroforelasticsearch/security/test/helper/rest/RestHelper.java
@@ -37,16 +37,12 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
-import java.util.Scanner;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
 
 import javax.net.ssl.SSLContext;
 
-import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.commons.io.IOUtils;
 import org.apache.http.Header;
 import org.apache.http.HttpEntity;
@@ -75,11 +71,8 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import org.opensearch.security.DefaultObjectMapper;
-import org.opensearch.security.test.helper.cluster.ClusterInfo;
-import org.opensearch.security.test.helper.file.FileHelper;
-
-import static org.junit.jupiter.api.Assertions.fail;
+import com.amazon.opendistroforelasticsearch.security.test.helper.cluster.ClusterInfo;
+import com.amazon.opendistroforelasticsearch.security.test.helper.file.FileHelper;
 
 public class RestHelper {
 
@@ -349,74 +342,6 @@ public String toString() {
                     + ", statusReason=" + statusReason + "]";
         }
 
-        private static void findArrayAccessor(String input) {
-			final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]");
-			final Matcher m = r.matcher(input);
-			if(m.find()) {
-				System.out.println("'" + input + "'\t Name was: " + m.group(1) + ",\t index position: " + m.group(2));
-			} else {
-				System.out.println("'" + input + "'\t No Match");
-			}
-		}
-
-		/**
-		 * Given a json path with dots delimiated returns the object at the leaf
-		 */
-		public String findValueInJson(final String jsonDotPath) {
-			// Make sure its json / then parse it
-			if (!isJsonContentType()) {
-				fail("Response was expected to be JSON, body was: \n" + body);
-			}
-			JsonNode currentNode = null;
-			try {
-				currentNode = DefaultObjectMapper.readTree(body);
-			} catch (final Exception e) {
-				throw new RuntimeException(e);
-			}
-
-			// Break the path into parts, and scan into the json object
-			try (final Scanner jsonPathScanner = new Scanner(jsonDotPath).useDelimiter("\\.")) {
-				if (!jsonPathScanner.hasNext()) {
-					fail("Invalid json dot path '" + jsonDotPath + "', rewrite with '.' characters between path elements.");
-				}
-				do {
-					String pathEntry = jsonPathScanner.next();
-					// if pathEntry is an array lookup
-					int arrayEntryIdx = -1;
-
-					// Looks for an array-lookup pattern in the path
-					// e.g. root_cause[1] -> will match
-					// e.g. root_cause[2aasd] -> won't match
-					final Pattern r = Pattern.compile("(.+?)\\[(\\d+)\\]");
-					final Matcher m = r.matcher(pathEntry);
-					if(m.find()) {
-						pathEntry = m.group(1);
-						arrayEntryIdx = Integer.parseInt(m.group(2));
-					}
-
-					if (!currentNode.has(pathEntry)) {
-						fail("Unable to resolve '" + jsonDotPath + "', on path entry '" + pathEntry + "' from available fields " + currentNode.toPrettyString());
-					}
-					currentNode = currentNode.get(pathEntry);
-
-					// if it's an Array lookup we get the requested index item
-					if (arrayEntryIdx > -1) {
-						if(!currentNode.isArray()) {
-							fail("Unable to resolve '" + jsonDotPath + "', the '" + pathEntry + "' field is not an array " + currentNode.toPrettyString());
-						} else if (!currentNode.has(arrayEntryIdx)) {
-							fail("Unable to resolve '" + jsonDotPath + "', index '" + arrayEntryIdx + "' is out of bounds for array '" + pathEntry + "' \n" + currentNode.toPrettyString());
-						}
-						currentNode = currentNode.get(arrayEntryIdx);
-					}
-				} while (jsonPathScanner.hasNext());
-
-				if (!currentNode.isValueNode()) {
-					fail("Unexpected value note, index directly to the object to reference, object\n" + currentNode.toPrettyString());
-				}
-				return currentNode.asText();
-			}
-		}
-
 		private static HttpResponse from(Future<HttpResponse> future) {
 			try {
 				return future.get();

diff --git a/src/test/resources/internal_users.yml b/src/test/resources/internal_users.yml
@@ -338,10 +338,3 @@ hidden_test:
   hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
   opendistro_security_roles:
     - hidden_test
-sem-user:
-  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
-  #password is: nagilum
-sem-user2:
-  hash: $2a$12$n5nubfWATfQjSYHiWtUyeOxMIxFInUHOAx8VMmGmxFNPGpaBmeB.m
-  #password is: nagilum
-
diff --git a/src/test/resources/roles.yml b/src/test/resources/roles.yml
@@ -1072,80 +1072,8 @@ xyz_sr_reserved:
 hidden_test:
   cluster_permissions:
     - SGS_CLUSTER_COMPOSITE_OPS
-
-index_template_perm:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: []
-  index_permissions:
-    - index_patterns:
-        - "*"
-      allowed_actions:
-        - "indices:admin/index_template/*"
-
-data_stream_0:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: []
-  index_permissions:
-    - index_patterns:
-        - "*my-data-stream2*"
-      allowed_actions:
-        - "indices:admin/get"
-
-data_stream_1:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: [ "indices:admin/index_template/put" ]
-  index_permissions:
-    - index_patterns:
-        - "my-data-stream*"
-      allowed_actions:
-        - "indices:admin/data_stream/get"
-        - "indices:admin/data_stream/create"
-
-data_stream_2:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: []
   index_permissions:
     - index_patterns:
         - hidden_test_not_hidden
-      allowed_actions:
-        - "DATASTREAM_ALL"
-
-hidden_test:
-  cluster_permissions:
-  - SGS_CLUSTER_COMPOSITE_OPS
-  index_permissions:
-  - index_patterns:
-    - hidden_test_not_hidden
-    allowed_actions:
-    - "*"
-
-sem-role:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: [ "cluster_monitor", "indices:admin/index_template/put" ]
-  index_permissions:
-    - index_patterns:
-        - "sem*"
       allowed_actions:
         - "*"
-
-sem-role2:
-  reserved: true
-  hidden: false
-  description: "Migrated from v6 (all types mapped)"
-  cluster_permissions: [ "cluster_monitor" ]
-  index_permissions:
-    - index_patterns:
-        - "sem*"
-      allowed_actions:
-        - "indices:admin/index_template/put"
-
diff --git a/src/test/resources/roles_mapping.yml b/src/test/resources/roles_mapping.yml
@@ -388,39 +388,3 @@ xyz_sr_hidden:
 bulk_test_user_role:
   users:
     - "bulk_test_user"
-index_template_perm:
-  reserved: false
-  hidden: false
-  users:
-    - "ds1"
-data_stream_0:
-  reserved: false
-  hidden: false
-  users:
-    - "ds0"
-data_stream_1:
-  reserved: false
-  hidden: false
-  users:
-    - "ds1"
-data_stream_2:
-  reserved: false
-  hidden: false
-  users:
-    - "ds2"
-data_stream_3:
-  reserved: false
-  hidden: false
-  users:
-    - "ds3"
-sem-role:
-  reserved: false
-  hidden: false
-  users:
-    - "sem-user"
-sem-role2:
-  reserved: false
-  hidden: false
-  users:
-    - "sem-user2"
-