opensearch-project · davidlago · Jan 5, 2022
@@ -1,23 +1,23 @@
 ---
 _meta:
-  type: "whitelist"
+  type: "allowlist"
   config_version: 2
 
 # Description:
 # enabled - feature flag.
-# if enabled is false, the whitelisting feature is removed.
-# This is like removing the check that checks if an API is whitelisted.
-# This is equivalent to continuing with the usual access control checks, and removing all the code that implements whitelisting.
+# if enabled is false, the allowlist feature is removed.
+# This is like removing the check that checks if an API is allowlisted.
+# This is equivalent to continuing with the usual access control checks, and removing all the code that implements allowlisting.
 # if enabled is true, then all users except SuperAdmin can access only the APIs in requests
 # SuperAdmin can access all APIs.
 # SuperAdmin is defined by the SuperAdmin certificate, which is configured in the opensearch.yml setting: plugins.security.authcz.admin_dn:
 # Refer to the example setting in opensearch.yml.example, and the opendistro documentation to know more about configuring SuperAdmin.
 #
-# requests - map of whitelisted endpoints, and the whitelisted HTTP requests for those endpoints
+# requests - map of allowlisted endpoints, and the allowlisted HTTP requests for those endpoints
 
 # Examples showing how to configure this yml file (make sure the _meta data from above is also there):
 # Example 1:
-# To enable whitelisting and whitelist GET /_cluster/settings
+# To enable allowlisting and allowlist GET /_cluster/settings
 #
 #config:
 #  enabled: true
@@ -26,7 +26,7 @@ _meta:
 #      - GET
 #
 # Example 2:
-# If you want to whitelist multiple request methods for /_cluster/settings (GET,PUT):
+# If you want to allowlist multiple request methods for /_cluster/settings (GET,PUT):
 #
 #config:
 #  enabled: true
@@ -36,7 +36,7 @@ _meta:
 #      - PUT
 #
 # Example 3:
-# If you want to whitelist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards:
+# If you want to allowlist other APIs as well, for example GET /_cat/nodes, and GET /_cat/shards:
 #
 #config:
 #  enabled: true
@@ -50,13 +50,13 @@ _meta:
 #      - GET
 #
 # Example 4:
-# If you want to disable the whitelisting feature, set enabled to false.
+# If you want to disable the allowlisting feature, set enabled to false.
 #  enabled: false
 #  requests:
 #    /_cluster/settings:
 #      - GET
 #
-#At this point, all APIs become whitelisted because the feature to whitelist is off, so requests is irrelevant.
+#At this point, all APIs become allowlisted because the feature to allowlist is off, so requests is irrelevant.
 
 
 #this name must be config

@@ -22,11 +22,11 @@ plugins.security.nodes_dn:
   - "CN=node.other.com, OU=SSL, O=Test, L=Test, C=DE"
 
 # The nodes_dn_dynamic_config_enabled settings is geared towards cross_cluster usecases where there is a need to
-# manage the whitelisted nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
+# manage the allowlist nodes_dn without having to restart the nodes everytime a new cross_cluster remote is configured
 # Setting nodes_dn_dynamic_config_enabled to true enables **super-admin callable** /_opendistro/_security/api/nodesdn APIs
 # which provide means to update/retrieve nodesdn dynamically.
 #
-# NOTE: The overall whitelisted nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
+# NOTE: The overall allowlist nodes_dn evaluated comes from both the plugins.security.nodes_dn and the ones stored
 # in security index.
 # (default: false)
 # NOTE2: This setting only has effect if 'plugins.security.cert.intercluster_request_evaluator_class' is not set.

@@ -34,12 +34,12 @@ public class LdapUser extends User {
     private final String originalUsername;
 
     public LdapUser(final String name, String originalUsername, final LdapEntry userEntry,
-            final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) {
+            final AuthCredentials credentials, int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) {
         super(name, null, credentials);
         this.originalUsername = originalUsername;
         this.userEntry = userEntry;
         Map<String, String> attributes = getCustomAttributesMap();
-        attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher));
+        attributes.putAll(extractLdapAttributes(originalUsername, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
     }
 
     /**
@@ -60,7 +60,7 @@ public String getOriginalUsername() {
     }
 
     public static Map<String, String> extractLdapAttributes(String originalUsername, final LdapEntry userEntry,
-            int customAttrMaxValueLen, WildcardMatcher whitelistedCustomLdapAttrMatcher) {
+            int customAttrMaxValueLen, WildcardMatcher allowlistedCustomLdapAttrMatcher) {
         Map<String, String> attributes = new HashMap<>();
         attributes.put("ldap.original.username", originalUsername);
         attributes.put("ldap.dn", userEntry.getDn());
@@ -72,7 +72,7 @@ public static Map<String, String> extractLdapAttributes(String originalUsername,
                     // only consider attributes which are not binary and where its value is not
                     // longer than customAttrMaxValueLen characters
                     if (val != null && val.length() > 0 && val.length() <= customAttrMaxValueLen) {
-                        if (whitelistedCustomLdapAttrMatcher.test(attr.getName())) {
+                        if (allowlistedCustomLdapAttrMatcher.test(attr.getName())) {
                             attributes.put("attr.ldap." + attr.getName(), val);
                         }
                     }

@@ -59,15 +59,15 @@ public class LDAPAuthenticationBackend implements AuthenticationBackend {
     private final Path configPath;
     private final List<Map.Entry<String, Settings>> userBaseSettings;
     private final int customAttrMaxValueLen;
-    private final WildcardMatcher whitelistedCustomLdapAttrMatcher;
+    private final WildcardMatcher allowlistedCustomLdapAttrMatcher;
 
     public LDAPAuthenticationBackend(final Settings settings, final Path configPath) {
         this.settings = settings;
         this.configPath = configPath;
         this.userBaseSettings = getUserBaseSettings(settings);
 
         customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36);
-        whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST,
+        allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST,
                 Collections.singletonList("*")));
     }
 
@@ -127,9 +127,9 @@ public User authenticate(final AuthCredentials credentials) throws OpenSearchSec
 
             // by default all ldap attributes which are not binary and with a max value
             // length of 36 are included in the user object
-            // if the whitelist contains at least one value then all attributes will be
-            // additional check if whitelisted (whitelist can contain wildcard and regex)
-            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher);
+            // if the allowlist contains at least one value then all attributes will be
+            // additional check if allowlisted (allowlist can contain wildcard and regex)
+            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher);
 
         } catch (final Exception e) {
             if (log.isDebugEnabled()) {
@@ -164,7 +164,7 @@ public boolean exists(final User user) {
             boolean exists = userEntry != null;
 
             if(exists) {
-                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher));
+                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
             }
 
             return exists;

@@ -76,7 +76,7 @@ public final class ConfigConstants {
 
     // custom attributes
     public static final String LDAP_CUSTOM_ATTR_MAXVAL_LEN = "custom_attr_maxval_len";
-    public static final String LDAP_CUSTOM_ATTR_WHITELIST = "custom_attr_whitelist";
+    public static final String LDAP_CUSTOM_ATTR_ALLOWLIST = "custom_attr_allowlist";
 
     public static final String LDAP_CONNECTION_STRATEGY = "connection_strategy";
 

@@ -60,7 +60,7 @@ public class LDAPAuthenticationBackend2 implements AuthenticationBackend, Destro
     private ConnectionFactory authConnectionFactory;
     private LDAPUserSearcher userSearcher;
     private final int customAttrMaxValueLen;
-    private final WildcardMatcher whitelistedCustomLdapAttrMatcher;
+    private final WildcardMatcher allowlistedCustomLdapAttrMatcher;
 
     public LDAPAuthenticationBackend2(final Settings settings, final Path configPath) throws SSLConfigException {
         this.settings = settings;
@@ -79,7 +79,7 @@ public LDAPAuthenticationBackend2(final Settings settings, final Path configPath
 
         this.userSearcher = new LDAPUserSearcher(settings);
         customAttrMaxValueLen = settings.getAsInt(ConfigConstants.LDAP_CUSTOM_ATTR_MAXVAL_LEN, 36);
-        whitelistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_WHITELIST,
+        allowlistedCustomLdapAttrMatcher = WildcardMatcher.from(settings.getAsList(ConfigConstants.LDAP_CUSTOM_ATTR_ALLOWLIST,
                 Collections.singletonList("*")));
     }
 
@@ -161,9 +161,9 @@ private User authenticate0(final AuthCredentials credentials) throws OpenSearchS
 
             // by default all ldap attributes which are not binary and with a max value
             // length of 36 are included in the user object
-            // if the whitelist contains at least one value then all attributes will be
-            // additional check if whitelisted (whitelist can contain wildcard and regex)
-            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher);
+            // if the allowlist contains at least one value then all attributes will be
+            // additional check if allowlisted (allowlist can contain wildcard and regex)
+            return new LdapUser(username, user, entry, credentials, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher);
 
         } catch (final Exception e) {
             if (log.isDebugEnabled()) {
@@ -217,7 +217,7 @@ private boolean exists0(final User user) {
             boolean exists = userEntry != null;
 
             if(exists) {
-                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, whitelistedCustomLdapAttrMatcher));
+                user.addAttributes(LdapUser.extractLdapAttributes(userName, userEntry, customAttrMaxValueLen, allowlistedCustomLdapAttrMatcher));
             }
 
             return exists;

@@ -148,8 +148,8 @@ public void noData(String id, String type) {
 
                 // Since NODESDN is newly introduced data-type applying for existing clusters as well, we make it backward compatible by returning valid empty
                 // SecurityDynamicConfiguration.
-                // Same idea for new setting WHITELIST
-                if (cType == CType.NODESDN || cType == CType.WHITELIST) {
+                // Same idea for new setting ALLOWLIST
+                if (cType == CType.NODESDN || cType == CType.ALLOWLIST) {
                     try {
                         SecurityDynamicConfiguration<?> empty = ConfigHelper.createEmptySdc(cType, ConfigurationRepository.getDefaultConfigVersion());
                         rs.put(cType, empty);

@@ -144,7 +144,7 @@ public void run() {
                                     }
                                     final boolean populateEmptyIfFileMissing = true;
                                     ConfigHelper.uploadFile(client, cd+"nodes_dn.yml", securityIndex, CType.NODESDN, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing);
-                                    ConfigHelper.uploadFile(client, cd + "whitelist.yml", securityIndex, CType.WHITELIST, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing);
+                                    ConfigHelper.uploadFile(client, cd + "allowlist.yml", securityIndex, CType.ALLOWLIST, DEFAULT_CONFIG_VERSION, populateEmptyIfFileMissing);
 
                                     // audit.yml is not packaged by default
                                     final String auditConfigPath = cd + "audit.yml";

@@ -21,7 +21,7 @@
 import org.opensearch.security.configuration.AdminDNs;
 import org.opensearch.security.configuration.ConfigurationRepository;
 import org.opensearch.security.dlic.rest.validation.AbstractConfigurationValidator;
-import org.opensearch.security.dlic.rest.validation.WhitelistValidator;
+import org.opensearch.security.dlic.rest.validation.AllowlistValidator;
 import org.opensearch.security.privileges.PrivilegesEvaluator;
 import org.opensearch.security.securityconf.impl.CType;
 import org.opensearch.security.securityconf.impl.SecurityDynamicConfiguration;
@@ -48,34 +48,34 @@
 import static org.opensearch.security.dlic.rest.support.Utils.addRoutesPrefix;
 
 /**
- * This class implements GET and PUT operations to manage dynamic WhitelistingSettings.
+ * This class implements GET and PUT operations to manage dynamic AllowlistingSettings.
  * <p>
  * These APIs are only accessible to SuperAdmin since the configuration controls what APIs are accessible by normal users.
- * Eg: If whitelisting is enabled, and a specific API like "/_cat/nodes" is not whitelisted, then only the SuperAdmin can use "/_cat/nodes"
- * These APIs allow the SuperAdmin to enable/disable whitelisting, and also change the list of whitelisted APIs.
+ * Eg: If allowlisting is enabled, and a specific API like "/_cat/nodes" is not allowlisted, then only the SuperAdmin can use "/_cat/nodes"
+ * These APIs allow the SuperAdmin to enable/disable allowlisting, and also change the list of allowlisted APIs.
  * <p>
  * A SuperAdmin is identified by a certificate which represents a distinguished name(DN).
  * SuperAdmin DN's can be set in {@link ConfigConstants#SECURITY_AUTHCZ_ADMIN_DN}
  * SuperAdmin certificate for the default superuser is stored as a kirk.pem file in config folder of OpenSearch
  * <p>
  * Example calling the PUT API as SuperAdmin using curl (if http basic auth is on):
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPUT https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’
  * {
  *      "enabled" : false,
- *      "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]}
+ *      "requests" : {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/allowlist": ["GET"]}
  * }
  *
  * Example using the PATCH API to change the requests as SuperAdmin:
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’
  * {
  *      "op":"replace",
  *      "path":"/config/requests",
- *      "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/whitelist": ["GET"]}
+ *      "value": {"/_cat/nodes": ["GET"], "/_opendistro/_security/api/allowlist": ["GET"]}
  * }
  *
  * To update enabled, use the "add" operation instead of the "replace" operation, since boolean variables are not recognized as valid paths when they are false.
  * eg:
- * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/whitelist -H "Content-Type: application/json" -d’
+ * curl -v --cacert path_to_config/root-ca.pem --cert path_to_config/kirk.pem --key path_to_config/kirk-key.pem -XPATCH https://localhost:9200/_opendistro/_security/api/allowlist -H "Content-Type: application/json" -d’
  * {
  *      "op":"add",
  *      "path":"/config/enabled",
@@ -87,17 +87,17 @@
  * be used to populate the index.
  * <p>
  */
-public class WhitelistApiAction extends PatchableResourceApiAction {
+public class AllowlistApiAction extends PatchableResourceApiAction {
     private static final List<Route> routes = addRoutesPrefix(ImmutableList.of(
-            new Route(RestRequest.Method.GET, "/whitelist"),
-            new Route(RestRequest.Method.PUT, "/whitelist"),
-            new Route(RestRequest.Method.PATCH, "/whitelist")
+            new Route(RestRequest.Method.GET, "/allowlist"),
+            new Route(RestRequest.Method.PUT, "/allowlist"),
+            new Route(RestRequest.Method.PATCH, "/allowlist")
     ));
 
     private static final String name = "config";
 
     @Inject
-    public WhitelistApiAction(final Settings settings, final Path configPath, final RestController controller, final Client client,
+    public AllowlistApiAction(final Settings settings, final Path configPath, final RestController controller, final Client client,
                               final AdminDNs adminDNs, final ConfigurationRepository cl, final ClusterService cs,
                               final PrincipalExtractor principalExtractor, final PrivilegesEvaluator evaluator, ThreadPool threadPool, AuditLog auditLog) {
         super(settings, configPath, controller, client, adminDNs, cl, cs, principalExtractor, evaluator, threadPool, auditLog);
@@ -160,12 +160,12 @@ public List<Route> routes() {
 
     @Override
     protected Endpoint getEndpoint() {
-        return Endpoint.WHITELIST;
+        return Endpoint.ALLOWLIST;
     }
 
     @Override
     protected AbstractConfigurationValidator getValidator(RestRequest request, BytesReference ref, Object... param) {
-        return new WhitelistValidator(request, ref, this.settings, param);
+        return new AllowlistValidator(request, ref, this.settings, param);
     }
 
     @Override
@@ -175,7 +175,7 @@ protected String getResourceName() {
 
     @Override
     protected CType getConfigName() {
-        return CType.WHITELIST;
+        return CType.ALLOWLIST;
     }
 
 }
@@ -30,6 +30,6 @@ public enum Endpoint {
     TENANTS,
     MIGRATE,
     VALIDATE,
-    WHITELIST,
+    ALLOWLIST,
     NODESDN;
 }